There is so much information and terms here I find it hard to start think about users. What options would I have for creating a user-based ASP.net MVC 3 web app? I’ve read of membership, providers, authorization, authentication, session, cookies, roles and profiles, but I can’t seem to get a grasp on the big picture of how user-things are handled.
What are the pros/cons of using a built-in microsoft solution here? What is it even called?
Can I use my own database only (I want to work database first)?
In my mind I think like so: I have users and roles in a database. Users have roles. I want to deny access to some actions depending on if the user is logged in and has a specific role. Am I over-simplifying the issue? Where should I start?
At the moment I’m thinking of doing a 100% home brew system like when I was developing using PHP but since there’s so much info I feel like that would not be a good approach here.
You want users and roles, i.e. you want to authenticate users and authorize them with privileges using roles. I would highly recommend not rolling your own, as you would in PHP. Instead, I recommend using the .NET “Provider” services — specifically, the
MembershipProvider(for authentication) and theRoleProvider(for authorization).You can still use the Providers with your own db, they are not exclusive to or exclusive with code first. However, I would recommend NOT storing application-specific user information in the Provider’s user or member tables. Instead, you can have your own code-first
User, and link it to the membership system through the user’s username.The reason I recommend this is because it reduces the amount of work you have to do. You need not worry about encrypting or hashing passwords — the provider does it for you. You have full API to control your users and roles through the
System.Web.Securitynamespace.As for
Profiles, this is a separate Provider service that you do not need to use. It allows you to store information about users whether or not they have registered for a user account in your system. Technically you can have “anonymous users”, but anyone who has created a password-based login is instead referred to as a “member”.Regarding cookies, authentication of a user in .NET is done through the
FormsAuthenticationclass. After you have authenticated a user usingSystem.Web.Security.Membership, you can callFormsAuthentication.SetAuthCookieto write their authentication cookie. This fully integrates both theUserand theirRolesinto theController.Userproperty, which implements theIPrincipalinterface. You can use this object to get the user’s name, and find out which roles they are in.Reply to comments
I answered a very similar question here. Basically, it’s up to you whether or not to have the membership in a completely separate db than your application, but I consider it good practice, because I have done this quite a bit and I have no complaints. Especially if you are using code first, since you can lose your entire db if you use the
DropCreateDatabaseIfModelChangesorDropCreateDatabaseAlwaysinitializers.There is also a new membership provider. I think the NuGet package is called “ASP.NET Universal Providers”, and they are in the
System.Web.Providersnamespace instead of the oldSystem.Web.Securitynamespace. I haven’t had a chance to work with them yet, but from what I gather, they are more compatible with code first. For one thing, the tables aren’t named likeaspnet_Foo, and there are no views or stored procedures created in the db. The table names are just normaldbo.Users,dbo.Roles, etc.As for linking the provider users with your app (content) User entities, see the answer I linked to above. The easiest way to do this is to just have a field in your content db for
UserName, and link that to the provider db’sUserName. No foreign keys necessary, since you integrate them at the app-level, not the db level.