On ASP.net authentication models
To learn ASP.net I started building a todo web app(web forms not MVC), this is essentially helping me in learning how ASP.net works, during this course I have also learnt about the authentication modules provided by asp.net, and t开发者_Go百科o my understanding it is fairly complex unlike what I've seen in PHP (A very limited experience in PHP)
Is it a good practice to have your own authentication module without using the traditional model provided by asp.net. By indicating my own authentication module I even want to discard the custom membership provider and have a normal implementation. In few scenarios, you don't require much information,
As in my application,
I'm planning of having only username, password, and email address. Thats it that serves the purpose for me. In this scenario, how should I go about designing the app?
In few other scenario's you require much more than what the CreateUserWizard provides. How should I go about designing this scenario?
Thank you.
This is a bad idea. You don't have to implement everything included in the asp.net membership system. If all you want is username, password, and e-mail, that's all you need to use.
ALWAYS lean as much as possible on your platform's security code. You don't want to try to write this kind of things yourself, because it's so easy to write something that seems to work in testing but still has a glaring hole for crackers that you won't ever find out about until 6 months after your site is breached and all your customer's personal information was stolen.
Learn about how to create a custom membership provider, then see why Microsoft guys make it that way.
Actually the provider is a bridge between a User object, and its data stored in the database or another place. So a custom membership provider offers you enough flexibility.
I agree with Joel that write your own authentication code from scratch is bad.
精彩评论