Best way to handle Login / Authentication in mvc3

Just wondering what the best practice for handling login/user authentication in mvc3 would be. Better to use the built-in membership such as:

    [HttpPost]
    public ActionResult Register(RegisterUser model)
    {
        if (ModelState.IsValid)
        {
            // Attempt to register the user
            MembershipCreateStatus createStatus;
            Membership.CreateUser(model.UserName, model.Password, model.Email, null, null, true, null, out createStatus);

            if (createStatus == MembershipCreateStatus.Success)
            {
                FormsAuthentication.SetAuthCookie(model.UserName, false /* createPersistentCookie */);
                return RedirectToAction("Index","User");
            }
            else
            {
                ModelState.AddModelError("", ErrorCodeToString(createStatus));
            }
        }

        return View(model);
    }

or something more simple and custom such as making your own cookie to avoid having to use the pre-packaged database structure each time?

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,
    user.UserName,
    DateTime.Now,
    DateTime.Now.AddMinutes(10),
    false,
    null);

string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

this.Response.Cookies.Add(cookie);

Answers


Personally I agree with the approach taken by Stack Overflow in providing two ways to register directly via Stack Exchange and OpenId / OAuth access; Google, Yahoo, Facebook, Twitter, etc.

When providing your own registration I would stick with either the ASP.NET Membership provider or a similar one made available via NuGet.

When using OpenId and OAuth I've had great success with DotNetOpenAuth. Refer to Andrew Arnott's detailed answer the benefits and justification for using OpenId: To OpenID or not to OpenID? Is it worth it?


The ASP.NET Membership exists for a reason.

If it was as simple as setting a cookie, LinkedIn hackers wouldn't have my password.

Do not write your own Membership provider unless you REALLY know what you're doing.

I would suggest that your best option is to provider a custom provider, so that you don't have to use the 'pre-packaged' database. This way you can re-use the built-in authentication and authorization stuff, while still having a customised user database.

It is not that difficult, simply create a class deriving from MembershipProvider (and RoleProvider if you want to included roles). These are abstract classes, so you need to provide implementations of the various methods. To save having to provide implementations for all the methods, you can have methods you aren't going to use throw NotImplementedException.


Need Your Help

Is this C function written in poor form?

c pointers embedded floating-point microcontroller

char byte_to_ascii(char value_to_convert, volatile char *converted_value) {

Update record with count as a condition

sql sql-server-2005

I need to update duplicated records as a invalid, but keep only record.