ASP .NET MVC Best practice to authenticate and keep user-auth during his work [closed]

Question

I am just investigating the issue and get many different suggestions, can someone be helpful in detailing the subject include

• existing methods
• restrictions
• pros and cons
• protection against attacks

I look for a short review to get direction.

EDIT:

The audience are user from world-wide that need to register.

Answer 1

Throwing in an answer here from some of the systems I have had professional experience with:

Note: I can further define positive/negatives if you answer the question I put in the comments about the parameters around your application.

ASP.NET Identity

Basic MS user system that ships with MVC framework that uses username and password. A plus side to this is that the concept has been around for a long time and there are tons of tutorials showing you how to extend it to use things such as email/password or collect certain data from your users like their mother's dogs middle name or whatever. You also would want to look here if you have an environment where users could possibly share computers. Think factory or hospital setting kinda deal. A negative to this is that you are basically forced to maintain the entire user setup, application roles, user management all contained within your application (or cluster of applications). Think Forms auth when it comes to this. You may want to look at this if your application is external and exposing AD services makes your security team uncomfortable.

Windows Auth.

You are basically authenticating against the Windows user account and although not necessary, for the most part you would treat something such as Active directory for your role provider. The plus side to this is that your application is really no longer responsible for user management and all the support that comes along with it (weeeeee!) but instead you are more authorizing roles to work within your application. This makes it a breeze BUT a huge downfall is if you have users that may possibly share computers then this is a huge security nightmare. You would want to target users who have their own specific computer where they come to work and sit with this one. This becomes a nightmare if your application is externally hosted as it is easy to make your AD vulnerable as some of its services will need to be accessed externally.

Forms/Windows hybrid model

In this you basically configure your site to run on forms auth BUT your forms auth system is set to auth users in AD as a background process. So this is more for when you have a mix of users where some are sharing computers and some have dedicated computers. You are basically setting up your own forms auth website that takes in a redirect url along with the user's user AD name and password. The forms auth website then checks if the users credentials are valid in Active Directory, sets fun things like a session cookie and redirects the user back to your MVC site(s) with an authenticated user. On your MVC site(s) you have AD connectors as well (or you could have a N tier design to look it up) to tell you what AD groups the user belongs to and handle appropriately. So plus to systems like this is that you take the user management aspect away from your single site and place that responsibility back into AD but at the same time you have the flexibility to launch application that are basically windows auth into environments that have mixed user (people with dedicated comps and those who share.) Downside to this is that initial first time setup is a massive pain because you are essentially building out multiple systems. Also, security is also a concern with this as anytime you have a shared computer environment things are more susceptible to abuse. You have to some up with a good session timeout policy and live and die by that. Also you can place your forms with site in the DMZ and separate external hosted applications from directly interacting with AD. A minus though is you will need to handle things like AD lockouts, password reset, brute force attempts and such.

External provider such as facebook, twitter, google with something like OAuth.

I have never personally gone down this path on a production application so I cannot give you the real world positive or negatives but it needs to be mentioned and maybe someone else can give us some insight there.

Apologies on the massive textblocks in this answer, will make the format a bit "prettier" when I can get to a desktop.

Answer 2

If you use the ASP.NET MVC Framework you can authenticate users with ASP.NET Identity or with an external provider(Google, Facebook, Microsoft, etc).

In Visual Studio, if you create a new ASP.NET MVC project and choose to authenticate using individual accounts, it will setup the Identity system for you. And To keep users authenticated, I usually add the [Authorize] attribute above the controller class that I want to restrict access to.