1

I'm new to C# and ASP.NET (not MVC) and trying to code a web site.

Here is the question: Which is the best approach for Login, Authorization and Session management? I'm not asking for how to use built-in membership classes or another ready-to-use solutions. I'm merely asking for a manual approach or methodology.

After a member writes User Name and Password and clicks submit button; which do you think is the best solution to keep user logged while he\she browses pages, clicks buttons or somehow interacts with the web site

E.g is it a good method to use Session and write the User Name, Id etc. to session and read the session in every page request to check if there's any member information; if so, set the page layouts according to member's preferences?

Or creating an object in login, setting it's properties according to logged in user and using same object for entire session and destroying it with logging out?

Thx

user1599986
  • 31
  • 1
  • 6
  • 3
    What's wrong with the built-in login? – Amiram Korach Aug 15 '12 at 07:54
  • @AmiramKorach to much overkill and you do need to use their own schema! user1599986 please [read this answer](http://stackoverflow.com/a/5702000/28004) – balexandre Aug 15 '12 at 08:28
  • Do not ever play with security. I cannot stress it enough how important is security and proven solutions already present in framework. – Tomas Voracek Aug 15 '12 at 18:04
  • AmiramKorach; nothing is wrong with built-in login, I just want to now know their approach. balexandre Thx for the resouce. Tomas I know security is important and I'm not trying to implement my own non-secure system instead of a proven solution. – user1599986 Aug 16 '12 at 07:19

1 Answers1

3

I suggest that the best approach is to use a pre-exisitng solution that has proven realiable.

For authentication, use a MemberShipProvider. If you don't want to use for instance the SqlMembershipProvider, feel free to implement your own by deriving from System.Web.Security.MembershipProvider. Then register you custom provider in the web.config file of your application.

To get started, just search the web for "build a custom membership provider" and you will find lots of tutorials.

For authorization, use the possibilities provided by the <authorization>...</authorization> section in web.config. Make sure to learn about the possibility of placing additional web.config files in sub folders of your application.

If you need role based authorization, use a RoleProvider. Related web search: "build a custom role provider".

If you want to allow your users to store preferences, use a ProfileProvider.

In short, resist the temptation of reinventing the wheel...

user1429080
  • 9,086
  • 4
  • 31
  • 54
  • 1
    I appreciate your answer but I'm not trying to reinvent the wheel but trying to understand how wheel works. Using integrated solutions are always easy and timesaving but I believe one should know other ways to survive in case that built in solutions are not applicable – user1599986 Aug 15 '12 at 08:49