473,327 Members | 2,007 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,327 software developers and data experts.

Implementing a Custom Membership Provider

Although this will be a challenge at my level of ASP.NET knowledge, I'm
thinking I should implement my own membership provider class.

Looking over the methods I must implement, a number of questions come to
mind.

1. How would one implement GetNumberOfUsersOnline? I'm not sure where there
is any indication of this? And it this affected by the "Remember me next
time" checkbox, which doesn't seem to work like it does on any other site
I've seen.

2. If I want to be able to provide a user password in response to the user
answering their private question, how would I best store the password? I
understand the default encryption cannot be unencrypted, but suspect that no
encryption at all is not the best approach.

3. I see that the ASP.NET SQL membership provider uses uniqueidentifier for
the primary key for each user. Is there any particular reason to use this
type instead of an automatically incrementing integer? Any downside to using
integers?

I'd appreciate any tips with respect to any of these issues.

Thanks!

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com

Dec 7 '07 #1
6 2903
On Thu, 6 Dec 2007 18:08:33 -0700, "Jonathan Wood"
<jw***@softcircuits.comwrote:
>Although this will be a challenge at my level of ASP.NET knowledge, I'm
thinking I should implement my own membership provider class.

Looking over the methods I must implement, a number of questions come to
mind.

1. How would one implement GetNumberOfUsersOnline? I'm not sure where there
is any indication of this? And it this affected by the "Remember me next
time" checkbox, which doesn't seem to work like it does on any other site
I've seen.
I just looked at some 1.1stuff I wrote and GetNumberOfUsersOnline
method throws a NotSupportedException. At best the return value will
be a snapshot of an estimate, just a meaningless number. There was
just no reason to implement the method.
>2. If I want to be able to provide a user password in response to the user
answering their private question, how would I best store the password? I
understand the default encryption cannot be unencrypted, but suspect that no
encryption at all is not the best approach.
There is nothing wrong with not being able to decrypt a stored
password. When a user makes the lost password request the server can
create a new password, encrypt and store a copy before sending the
unencrypted password to the user. Once the user logs in using the new
password, they can change the password to what ever they desire.
>3. I see that the ASP.NET SQL membership provider uses uniqueidentifier for
the primary key for each user. Is there any particular reason to use this
type instead of an automatically incrementing integer? Any downside to using
integers?
I believe GUIDs are preferable because they can have meaning across
tables, data stores etc. When one account can have multiple
memberships, the different memberships can use the same membership ID.

regards
A.G.
Dec 7 '07 #2
Registered User,
>>1. How would one implement GetNumberOfUsersOnline? I'm not sure where
there
is any indication of this? And it this affected by the "Remember me next
time" checkbox, which doesn't seem to work like it does on any other site
I've seen.
I just looked at some 1.1stuff I wrote and GetNumberOfUsersOnline
method throws a NotSupportedException. At best the return value will
be a snapshot of an estimate, just a meaningless number. There was
just no reason to implement the method.
I understand, but it would be useful for my application.
>>2. If I want to be able to provide a user password in response to the user
answering their private question, how would I best store the password? I
understand the default encryption cannot be unencrypted, but suspect that
no
encryption at all is not the best approach.
There is nothing wrong with not being able to decrypt a stored
password. When a user makes the lost password request the server can
create a new password, encrypt and store a copy before sending the
unencrypted password to the user. Once the user logs in using the new
password, they can change the password to what ever they desire.
Right.
>>3. I see that the ASP.NET SQL membership provider uses uniqueidentifier
for
the primary key for each user. Is there any particular reason to use this
type instead of an automatically incrementing integer? Any downside to
using
integers?
I believe GUIDs are preferable because they can have meaning across
tables, data stores etc. When one account can have multiple
memberships, the different memberships can use the same membership ID.
If I implement my own provider (and I'm not sure I will), I may just use an
incrementing integer. I can't think of any problems with doing so.

BTW, do you happen to have any ideas about roles? How would something like
Roles.GetRolesForUser() work if I implement my own provider?

Thanks.

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com

Dec 7 '07 #3

"Jonathan Wood" <jw***@softcircuits.comwrote in message
news:uT**************@TK2MSFTNGP02.phx.gbl...
>I believe GUIDs are preferable because they can have meaning across
tables, data stores etc. When one account can have multiple
memberships, the different memberships can use the same membership ID.

If I implement my own provider (and I'm not sure I will), I may just use
an incrementing integer. I can't think of any problems with doing so.
Famous last words! ;) I'm not going to start another "Guid vs Integer"
debate, there are plenty of those out there already. But count me in the
"Guid" camp, especially for something like membership data. You say "just
use an incrementing integer" like that is easier. In fact, it's more
difficult (only slightly). ;)

I'm curious why you want to implement your own provider. I promise not to
try to talk you out of it, I just wonder why. We "piggy back" our custom
security stuff "on top of" the standard provider and I'm fairly happy with
it. It actually adds a little "security through obscurity" since someone
familiar with the standard membership stuff won't have a clue about what
else is going on on the server after they are "authenticated" by asp.net.

Dec 7 '07 #4
Scott,
>If I implement my own provider (and I'm not sure I will), I may just use
an incrementing integer. I can't think of any problems with doing so.

Famous last words! ;) I'm not going to start another "Guid vs Integer"
debate, there are plenty of those out there already. But count me in the
"Guid" camp, especially for something like membership data. You say "just
use an incrementing integer" like that is easier. In fact, it's more
difficult (only slightly). ;)
I trust you'll let me know when you're in the mood for articulating the
reasons why an integer might be a problem for what I'm doing.
I'm curious why you want to implement your own provider. I promise not to
try to talk you out of it, I just wonder why. We "piggy back" our custom
security stuff "on top of" the standard provider and I'm fairly happy with
it. It actually adds a little "security through obscurity" since someone
familiar with the standard membership stuff won't have a clue about what
else is going on on the server after they are "authenticated" by asp.net.
I'm still unsure of the best route, especially since I'm still pretty new to
the platform. I'm not interested in being told an approach is bad, but if
you'd care to articulate what problems there might be, or what might be
better, I am very interested.

Basically, I have three types of users (roles). I need to store some basic
information for each user, plus additional information that has different
fields depending on the user's role. So I'll need the primary table with
three additional tables, which store role-specific information.

If I create my own provider, I should be able to create relationships
between the specialized tables and the basic information table. This should
allow the database to enforce the relationship so that I could never delete
user information in the basic table without also deleting the associated
specialized information. (I think--I still need to solve some details
there.)

In addition, since creating a user involves adding records to more than one
table, I could use transactions. It doesn't appear that I can create a user
with the default provider and then create a record in the secondary table
all within a single transaction.

Finally, I started wondering if it might just be easier as I seem to spend a
lot of time trying to figure out exactly how the default provider works.
I've always enjoyed creating something more than trying to figure out what
someone else has done.

I don't believe profiles would work because profile data must be the same
for each user. In addition, much of what I've read warns against using
profiles because it is inefficient.

Thanks.

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com

Dec 8 '07 #5
I trust you'll let me know when you're in the mood for articulating the
reasons why an integer might be a problem for what I'm doing.
This debate rages on, debated by people much smarter than me. This seems
like a "fair" link to start with (be sure to click the links inside the
page, as the page itself doesn't supply too much info). Google for more.

http://www.codinghorror.com/blog/archives/000817.html

For me, the determining factor is that Guids can be created by the
application, which let's me set up all keys (both primary and foreign)
inside the application then push it all to the database in a single
transaction. I'm sure there are techniques to accomplish this with
auto-incs, but with Guids I don't need "techniques" - it's trivial.
Basically, I have three types of users (roles). I need to store some basic
information for each user, plus additional information that has different
fields depending on the user's role. So I'll need the primary table with
three additional tables, which store role-specific information.
So create your "user" table and put a foreign key to the aspnet_Users table
on "UserId". Create your role-specific tables with foreign keys to your
"user" table.
If I create my own provider, I should be able to create relationships
between the specialized tables and the basic information table. This
should allow the database to enforce the relationship so that I could
never delete user information in the basic table without also deleting the
associated specialized information. (I think--I still need to solve some
details there.)
You can do this anyway. The aspnet membership tables are just SQL Server
tables. There's nothing magic about them. You can add relational constraints
to them all you want.
In addition, since creating a user involves adding records to more than
one table, I could use transactions. It doesn't appear that I can create a
user with the default provider and then create a record in the secondary
table all within a single transaction.
Good point ... maybe. See below.
Finally, I started wondering if it might just be easier as I seem to spend
a lot of time trying to figure out exactly how the default provider works.
I've always enjoyed creating something more than trying to figure out what
someone else has done.
I'm with you on this one. However, I'm not sure that creating your own
Membership provider is going to accomplish that. As you've already seen, the
membership interface defines the methods that you must implement and the
built-in login controls call those methods automatically. You still have to
work within the framework that someone else built. Which means that you
still need to understand that framework. And that framework may not allow
for passing all of your custom data around easily.

For example, the "Membership.CreateUser" method doesn't provide arguments
for user preferences. So you're going to need another method call to push
the preferences to the DB. That method call isn't going to be called by the
built-in controls, so you'll have to add events to those controls to call
the additional methods. I'm not sure that you are going to be able to get
all of that to happen in a single database transaction.

IMO, the membership interface is useful for supporting non-SQL Server
databases and little else. It's a DAL, not a place for customized business
rules. If you want purely custom business rules, I'd say abandon aspnet
membership and just roll your own. It's not like it's *that* hard. The whole
point of aspnet membership was to automate and simplify a routine web site
task. For us, it made more sense to use that tool "as is" then add more
information "on top" of it.

Scott

Dec 8 '07 #6
Scott,
This debate rages on, debated by people much smarter than me. This seems
like a "fair" link to start with (be sure to click the links inside the
page, as the page itself doesn't supply too much info). Google for more.

http://www.codinghorror.com/blog/archives/000817.html
Thanks, I'll check it out.
You can do this anyway. The aspnet membership tables are just SQL Server
tables. There's nothing magic about them. You can add relational
constraints to them all you want.
Yes, I see that. For me, the issue is that now I not only need to learn all
about the ASP.NET membership interfaces, I also need a pretty thorough
understanding of the underlying tables, of which there are quite a few. It
reaches a point where whipping up something of my own almost seems easier.

Don't get me wrong though, I'd defintely prefer not to reinvent the wheel if
I don't have to. But my own implementation would be considerably simpler
than what's there and, of course, I'd understand it.
I'm with you on this one. However, I'm not sure that creating your own
Membership provider is going to accomplish that. As you've already seen,
the membership interface defines the methods that you must implement and
the built-in login controls call those methods automatically. You still
have to work within the framework that someone else built. Which means
that you still need to understand that framework. And that framework may
not allow for passing all of your custom data around easily.
So far, I'm pretty comfortable with the MembershipProvider interface. That
vast majority of the methods involved are self explanatory. And I could
simply get a reference to the provider, type cast it, and access any
additional functionality I implement.
For example, the "Membership.CreateUser" method doesn't provide arguments
for user preferences. So you're going to need another method call to push
the preferences to the DB. That method call isn't going to be called by
the built-in controls, so you'll have to add events to those controls to
call the additional methods. I'm not sure that you are going to be able to
get all of that to happen in a single database transaction.
I don't know what you mean by user preferences. If you are talking about
profiles, I don't see any reason to use those if I implement my own
provider. If you mean something else, perhaps you could clarify.

(BTW, for my current application, users will not create their own accounts.
They will be created by other users, such as administrators.)
IMO, the membership interface is useful for supporting non-SQL Server
databases and little else. It's a DAL, not a place for customized business
rules. If you want purely custom business rules, I'd say abandon aspnet
membership and just roll your own. It's not like it's *that* hard. The
whole point of aspnet membership was to automate and simplify a routine
web site task. For us, it made more sense to use that tool "as is" then
add more information "on top" of it.
I just want the easiest route and can't really determine what that is right
now. Completely redoing the entire part seems like a bit more work to
me--something I'd love to take on but not now.

Thanks.

--
Jonathan Wood
SoftCircuits Programming
http://www.softcircuits.com

Dec 8 '07 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Graham | last post by:
I have created a custom MembershipProvider called "LassieMembershipProvider" that derives from "MembershipProvider". This providor is located in a Businesslogic layer dll called...
6
by: Shimon Sim | last post by:
Hi I am working on application that need to hold custom user information - Last and first name, email, some other domain related information. I used to create Base class for all my pages. The base...
2
by: WB | last post by:
Hi, I am revamping my company's website with ASP.Net 2.0. In order to use our existing user data in our SQL 2000, I have written a custom membership provider. However, when I try to logon with...
2
by: John | last post by:
Hi I was working fine with create user wizard and the default membership provider. I have now customised the membership provider as per attached web.config. The create user wizard picks up the...
4
by: techsupport | last post by:
I have some experience with .NET Remoting, as well as ASP.NET 2.0, and have been wanting to remote a custom membership and profile provider. I want to take advantage of the new controls in ASP.NET...
1
by: Axford | last post by:
Hello, I am trying to implement my own custom provider for memberships, basically only id/pwd (no roles). I use the new login web control (I am using asp.net 2.0 and VS2005). In web.config I...
0
by: Mwob | last post by:
Hi all, I'm about to start creating a custom membership provider. Its for a website that already has a table of users in a single table, so I need to create a custom MP to talk to the data in...
4
by: alexandis | last post by:
We have tables of logins (users), that differs much from standard microsoft structure - we don't use control question/answer, date fields, etc. But instead we have several additional fields. I...
3
by: Sunfire | last post by:
I need to use a custom database for all of the user membership and rolls. How do you do this?
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.