I am considering Login and security mechanism at my testing site. Current situation is follows:

• there is a table in database, with 3 columns (name, password, number to differentiate between access rights)
• after successfull login and assigning access rights, session is created, with name of user and access rights
• admin has access everywhere, user to certain pages and not logged user only to welcome and login page
• every page is inherited from master page, where is some logic to check session
• admin and user specific pages have control mechanism to determine access rights of current user in session

I also tried do this with membership and roles manager, however the database generated by asp.net is quite a big mess (big number of tables and records in every table). I have no idea how to configure membership and roles as I wrote above (mean simple table and use my own login controls).

But there are some advantages of membership and roles (easy to get number of logged users, less code, automatic logoff when closing page/browser, automatic session management, etc …).

I was also thinking about forms authentication, but I am not sure, if there is such flexibility like with session and membership.