Skip to content

ASP.NET MVC Membership

One of my disappointments with Ruby on Rails is that it provides no support whatsoever for site logins/membership, which I consider to be a fundamental part of many database-driven websites. Of course, the Rails community has responded — and responded, and responded, and responded — to this need. The Rails wiki notes that there are about a "gazillion" different systems for solving this problem in Rails. I’ve tried acts_as_authenticated, which does work, but, at least at the time I tried it, required quite a bit of manual tweaking and patching to get it going.

ASP.NET 2.0 and higher, on the other hand, includes a standard membership framework which is sufficiently extensible that I’ve never seen an application which it couldn’t be adapted to fit, and, for most applications, it will work right out of the box.

The usual way to configure page access rights for the ASP.NET membership (in web.config), however, isn’t really applicable to the new MVC framework. Scott Guthrie had promised to cover this subject, but it was Rob Conery who finally delivered the goods. In short, you decorate your controller actions with attributes specifying whether the current user must be logged in, or be within a certain role, and a controller filter handles the work of validating those security assertions at runtime. Troy Goode built upon Rob’s original code, producing the ASP.Net MVC Membership Starter Kit.

The Starter Kit includes a lot of really valuable code, but very little documentation, so I’m going to write out instructions for "getting started with the Starter Kit." I’m presuming that you’re going to use the SQL membership provider in this example, although the membership framework does include support for OpenID and Windows Live authentication as well. You can, of course, use any authentication framework you care to.

  1. Download the full installer from the Releases tab at CodePlex. I’d also strongly recommend getting the source code download, which is available on the same page.
  2. Run the installer.
  3. If you’re using Visual Studio, you want to install the templates into VS. There’s an item on your Start menu (in the "Starter Kits") folder which will do that.
  4. If you are creating a brand-new site, you can start by just copying the sample project included with the download. Skip ahead to step 10.
  5. If you are adding membership support to an existing project, there’s a few things you need to do. First, you need to reference the assembly you’ve just installed. One way to do this is to simply reference the StarterKits.Mvc assembly in your project. But I chose to add the source code for the StarterKits.Mvc project to my solution instead, which helps with debugging.
  6. If you haven’t done so already, edit your web.config to include Forms authentication and set the Login URL, and specify a ConnectionString if you’re not using the default. I’ll include an example of this below. Note that you need to include a membership provider and a role provider. Also, if you’re not using the default database, run aspnet_regsql.exe to add the required metadata to your database.
  7. You are not required to use the controllers or views supplied with the Starter Kit. The filters in the Starter Kit will work fine with any controller you care to write. However, it’s probably easiest, especially at the beginning, to use the supplied code. If you’re using Visual Studio, you can do this with the templates you installed in step 3. Right click the Controllers folder in Solution Explorer, choose Add New Item, then choose MvcMembership Controllers FormsAuthenticationController. Do the same for FormsAuthenticationAdministrationController. Right click the Views folder, and add both View templates.
  8. The current release of the Starter Kit has a bug where the codebehind and codegen files are not added along with the aspx files to the FormsAuthenticationAdministration views. This will be fixed in the next release (see Troy Goode’s comment below for details), but if you encounter this bug, I’ve included a workaround in my defect report.
  9. You need to add a couple of lines to Global.asax in order to register the routes for the new controllers. You can copy those from the sample project.
  10. Your site should now work, but there are a few things you need to do in order to configure e-mail and the like. These are indicated with TODO comments. You can find these in the Task List.

As promised, here is what you need to add to web.config to use a custom database. I’ve omitted the connection string definition, which is specified like any other connection string.

<authentication mode="Forms">
  <forms loginUrl="/Login"/>
</authentication>
<roleManager enabled="true">
  <providers>
    <clear/>
    <add name="AspNetSqlRoleProvider" connectionStringName="MyConnectionString"
      applicationName="MyApp" type="System.Web.Security.SqlRoleProvider, System.Web,
      Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
</roleManager>
<membership defaultProvider="MySqlMembershipProvider">
  <providers>
    <add name="MySqlMembershipProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="MyConnectionString"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      applicationName="MyApp"
      requiresUniqueEmail="true"
      passwordFormat="Hashed"
      maxInvalidPasswordAttempts="5"
      minRequiredPasswordLength="7"
      minRequiredNonalphanumericCharacters="1"
      passwordAttemptWindow="10"
      passwordStrengthRegularExpression=""/>
    </providers>
</membership>

{ 2 } Comments

  1. Troy Goode | April 30, 2008 at 12:02 am | Permalink

    Hi Craig,

    Thanks for the write-up! I’m sure this will be useful to many people.

    A quick note about step #8: I think it is worth noting that the new release is now available that fixes this template issue. You’ll have to be sure to uninstall the templates if you’ve previously installed them, however, as Visual Studio aggressively caches those suckers.

    Even if you are not yet ready to upgrade to the 1.2 release of the starter kit (which uses the interim build of the MVC Framework), the 1.2 VS templates — and specifically the Administration View templates which contained the bug — should be safe for use with the 1.1 version of the starter kit.

    Please let me know if you encounter any further difficulties with the templates!

    Troy

  2. Dan Miser | May 5, 2008 at 9:54 am | Permalink

    Always good to see a familiar face! :-)

    Are you deploying to IIS6 or IIS7? I just added this issue when using this with IIS6:
    http://www.codeplex.com/MvcMembership/WorkItem/View.aspx?WorkItemId=740

    Take care,
    Dan

Post a Comment

Your email is never published nor shared. Required fields are marked *

Bad Behavior has blocked 713 access attempts in the last 7 days.

Close