Alternatives to .Net Membership

Question

Are there any alternatives\mods to .net Membership?

I find it quite restrictive;

• Cant change Username, easily. You have to create a new user and copy the fields, but then you lose the primary key OR you have to edit the user table directly yourself.

• Additional profile fields are stored together as one blob.

Answer 1

ASP.Net membership uses a provider model. That means you are completely free to implement your own membership provider, or even inherit from and extend an existing provider, as long as you follow the provider contract.

Plus one for asking about existing alternatives rather than trying to build something new yourself, though.

Answer 2

I'll go ahead and list my alternative here. I've rolled my own authentication library, and I think it's awesome enough to be publicly released... So I did. It's designed to stay out of your way and overall, it's pretty minimalistic. I don't provide a lot of out of the box user controls, but on most websites I've seen those built-in user controls are never used. So instead of trying to make yet more flexible user controls, I decided instead to make it brain-dead simple to create your own login controls and such.

The project is called Fast, Secure, and Concise Authentication, or FSCAuth for short. It is BSD licensed. You can download it over at Binpress or at Bitbucket

It's flexible "UserStore" model(the Form's equivalent of provider) enables you to form your database anyway you want. It can support plain text files, XML, MongoDB, Sql Server, and anywhere in-between.

Here's a list of things where I think it particularly excels over Forms Authentication:

• Stateless Authentication System. There is no requirement to keep track of user sessions in either the database or memory. This makes it trivial to scale up to multiple servers requiring few(if any) changes to your authentication code
• Use anything as a Unique ID for each user. That's right, no more GUIDs! Anything that will fit in a string is fair game
• HTTP Basic Authentication baked in. You can enable Basic Authentication just on pages you want(or globally) and you can make the same calls as if they were using the typical cookie-based authentication
• Hard to make insecure. Because of how it works and I leave as little core-code as possible to the end user for actually doing authentication, it's extremely secure and will stay that way unless you just really try to break it. I handle cookies, HTTP Basic Auth, and all hashing. You just give FSCAuth a database to put it in.
• BCrypt support for hashes is trivial. How to do it.. In Forms Authentication it is almost not possible
• I like it :)

Of course it's also lacking, and to be fair I'll include a few things that are lacking

• Authenticating static files in IIS 6 isn't possible(yet)
• There is no brute-force prevention(yet). This means that you'll need to make sure the same person isn't trying to hit your login page 200 times in 2 seconds.
• It's not built into ASP.Net
• No Windows or Passport authentication (with no plans to ever add)

Answer 3

As the ASP.NET membership model is built around Providers, there are a number of alternatives available.

By default, users have a ProviderUserKey, which is a GUID, and that's the Primary key of the database, so you should be able to write something to change their username if you want.

In terms of the profile, yes, the default blob is fairly annoying. You could take a look at the SQL Table Profile Provider which maps profiles on to tables, or fairly quickly roll your own.