How should I implement user membership in my ASP.NET MVC site?

Question

I'm creating an ASP.NET MVC site and I need to implement login and membership functionality.

Is this something where I roll my own? I already have a members table in my database, should I create a username and password hash field and just check against it? What about keeping the user logged in with a cookie that expires?

Is this an instance when you would use ASP.NET's built in Membership service?

ASP.NET MVC neophyte seeks help.

Answer 1

When you create a new ASP.NET MVC site, it already has membership built in. The CodePlex project mentioned in the other reply is only needed in special cases, namely:

• You are using an early beta of the MVC framework, which doesn't have the membership feature.
• You want to use an authentication system like OpenID, which isn't supported "out-of-the-box" with MVC.
• You want membership administration features not included "out-of-the-box"

However, like I said, basic membership functionality is already present in an MVC site. Just add the [Authorize] attribute to any action requiring login. This is regular forms authentication, so you configured in Web.config like a non-MVC site (specifying the database, etc.; there's lots of information on the web about this).

A default MVC site will contain an "Account" controller and views which you can customize to fit your needs.

To answer the obvious question, no, you should not "roll your own." Even if you need custom authentication, it would be better to create a regular ASP.NET membership provider than to create an entirely new membership framework.

Update: The CodePlex project was updated to work with MVC 1.0

Answer 2

If you want to use something safe to start off with, either use the new project's template membership or consider using http://www.codeplex.com/MvcMembership.