I hesitate to make a decision about the authentication and authorization in a new web application.
The Membership, Roles and Profile built in Asp.net 2.0 seems impressive, but there are too many things behind them, which is uneasy to find out.
I’ve decide use my own DB structure so I have to rewrite my own provider, but there is still some thing I can’t figure out, such as session and cookie.What, when and how does it encrypt and after retrieving user info from DB, seems cookie is uesed but how about session? I make use of MSDN, .Net Reflactor and Goole but get no answer. I mean I know the configuration and result but not sure how.
I don’t think I can do a good job in the later improvement and maintenance if I don’t know how the things process behind the Login controls and membership components.
So help me please, what should I do? I want to know how things run behind the screen. Any suggestion is looking forward!
You can download the source code for the providers here. Learn as much as you want from it and see how Microsoft implemented it. You might even want to recycle some pieces on the FormsAuthenticationTicket.
Microsoft’s also using salted hashing to store the passwords for increased security. That might also be of interest to you when you make your own providers.