Is *not* using the asp.net membership provider a bad idea?

Is it generally a really bad idea to not use the built-in asp.net membership provider?

I've always rolled my own for my asp.net apps (public facing), and really have not had any problems in doing so. It works, and seems to avoid a layer of complexity. My needs are pretty basic: once setup, the user must use email address and password to login, if they forget it, it will be emailed back to them (a new one). After setup there is little that needs to be done to each user account, but I do need to store several extra fields with each user (full name, telephone and a few other fields etc). The number of users that required login credentials are small (usually just the administrator and a few backu开发者_如何学JAVAps), and everyone else uses the site unauthenticated.

What are the big advantages that I might be missing out on by skipping the asp.net membership provider functionality?

Rolling your own authentication system is never a good idea. There are so many ways to get it wrong that still seem to work in testing, until a year later when you find out your site was cracked six months ago.

Always lean as much as possible on the security code provided for you by your platform, be it asp.net or anything else. Do this, and the system is supported by a vendor with many more deployments so that bugs can be found and fixed more easily, and even if you do have a problem you can place the blame on the vendor when your boss comes asking about it. Not to mention that once you get past the first time using your vendor's solution, additional deployments will be faster. This is just the right way to do it.

The ASP.Net Membership provider is far from perfect, but I promise you that it's preferable to building it from scratch.

The advantages of the provider model are outlined here, but in brief:

1. Certain out-of-the-box webcontrols are built to use the membership provider model, such as the Login control/view and the Create User Wizard. So you miss out on a 1-step configuration for having a logged-in dashboard for all your pages without writing any code.

2. Providers can be swapped with a simple change in the web.config file. Not saying you can't write your own login stuff to do the same, but you can easily write a custom provider at some point down the road and switch it into your application without changing a thing in the application.

3. All the basics are provided. The default membership providers have password retrieval, account locking, multiple password encryption methods, valid password restriction rule configuration and user management, all out of the box. Just using that alone is a huge reduction in setup time for most people starting an ASP.Net application from scratch.

4. A large component of your application is already vetted. You don't need to worry about debugging all your own authentication code! This means that when there are bugs, you often get fixes before site breaks, and you have the ability to pass the blame if not.

I agree with Ayende's feelings about this:

It is a huge API, it makes a lot of assumptions and it is really not nice to work with in terms of what it gives you and what you have to implement

This is also my experience. Anytime that I've implemented my own membership provider (twice at the time of this writing) I left the vast majority of the overridden methods unimplemented, because I was never going to call them and I wasn't using any of the web-forms controls that make use of them.

The Sql and Active Directory providers are great if they meet all of your needs. But if they don't and you are thinking of implementing the providers, there may be a better way for you.

Don't confuse the MembershipProvider with FormsAuthentication, which I still rely on regularly for my applications. This is the mechanism that takes care of wrapping the user's authentication token in a cookie and passing between client and server. There's nothing wrong with FormsAuthentication as far as I know and I wouldn't suggest reinventing it.

If you don't want to implement dozens of MembershipProvider methods, RoleProviderMethods, and ProfileProvider methods then just implement IPrincipal and IIdentity and just do what you need to do. Here's an example of getting those 2 interfaces working with FormsAuthentication, which is trivial.

Also, be aware that you need to be smart about storing your users' credentials. The SqlMembershipProvider does can at least store hashed salted passwords. Be sure you at least do the same. Here's a nice piece of code to help out with this. Notice the slow hashing algorithm used. Don't do drugs.

update (2013-12-16)

Things have changed in ASP.net since I wrote this. ASP.NET Identity replaces the Membership features from before.

My recommendation is to use the new stuff because:

• You can implement various interfaces to compose a solution that meets your needs. This means you can implement that parts you want and ignore that parts you don't.
• You can completely change where/how you store the identity data, while retaining the default implementation controlling how passwords get hashed.
• OAuth and OpenID features.
• You can use the same system in any framework built on OWIN.

The API is slightly more complicated than before, but more flexible.

If you've got a solution that works well, stick with it. "If something works, don't fix it" and all that. Otherwise, consider that the Membership API has thousands of times the number of programmer-hours, QA-hours and user-hours behind it than anything you could come up with on your own.

You might get some insight from these other popular questions:

Which authentication and authorization schemes are you using - and why?

Microsoft Membership Provider Vs Custom Provider Vs Complete Custom Login System

Anyone uses ASP .NET Membership?

Alternatives to .Net Membership

There is more to membership then just membership (login, email, password, and functionality around it). Aspnet separates membership from profile, and they can be integrated. Profile is everything you call 'extra fields'. You can have an anonimous profile with some customization, even if you don't have a membership. For example, a user could setup preferences, return to site, and still have them, but still don't register. Then when you register, anonimous profile can be migrated and associated with your new membership.

That is what you basically miss when you skip it.

Also, if you choose to use build in or third party controls which make use of membership and profiles, you miss it too.

You could implement a provider, instead of dropping the provider model all at once.

In your case, authenticated users are the exception, not the norm, so it probably doesn't hurt to roll your own.

One thing .net provides is a brute force attack prevention, in case someone tries to brute force the admin password, the admin account will be locked out.

I feel your pain with the complexities of the built-in ASP.Net authentication. I was tired of having to write code for features that I was never going to use. (as well as leaving a bunch of NotImplemented functions). I also was sick of the difficulties of using something other than a GUID and having multiple database roundtrips on each page load(just for authentication)... So, I rolled my own. It's named FSCAuth and it's BSD licensed.

I've made it a bit harder than ASP.Net's built in authentication to get wrong as well. All of the cookie handling and actual hashing is left to the core of FSCAuth, while all you have to worry about is storing users in the database and controlling what pages need to be authenticated on.

If you're facing the question of ASP.Net's built-in authentication and rolling your own, I suggest you give my authentication library a look first, if not just using it as a starting point.

How do you save the users' passwords? If you're saving in plain text, that's a major risk. One advantage of the ASP.NET Membership system is that it encrypts passwords by hashing, out of the box.