Membership

When first released as part of ASP.NET 2.0 in 2007, the original ASP.NET Membership provider was immensely useful for user and role management. Over time, however, it's started to sport some gray hairs and show its age. It doesn't support certain workflows that modern websites use. For example, when a user forgets his or her password, it's customary that a website sends an e-mail that contains a URL to click on. The URL contains a confirmation token that expires after some interval. The user clicks on the URL to access a page that allows the user to change his or her password. That workflow is difficult to implement with standard Membership.

Another limitation of Membership is the challenge of integrating it with other authentication systems and your own user data. Fortunately, the ASP.NET team addressed many of these issues with the new SimpleMembership feature.

Originally written for ASP.NET Web Pages, the ASP.NET team incorporated SimpleMembership into ASP.NET MVC 4. SimpleMembership is more like a library than a framework. Define your Users table however you see fit and let SimpleMembership handle the credentials. All you need to do is tell SimpleMembership how to match the user in your database with a set of credentials by providing the table name and the username/e-mail column.

The approach taken with SimpleMembership is to provide a library of methods for securely storing passwords, integrating with other authentication providers, etc. This means that features such as password reset are not automatic. Implementing various membership workflows takes a bit more work on your part. But the benefit is that you're not restricted to the workflows that the designers of SimpleMembership anticipated, unlike the default ASP.NET MembershipProvider. The SimpleMembership library provides a lot of helpful functions to make it easy to implement any kind of membership workflow you can imagine.

One downside of SimpleMembership is that it was originally designed for ASP.NET Web Pages. ASP.NET Web Pages is a simple page-based web framework designed for hobbyists, breadth developers, rapid prototyping, or for any developer who prefers an inline style of web development. This means the WebSecurity class consists solely of static method, which makes writing unit tests of code that calls into SimpleMembership challenging.

Fortunately, others have taken it upon themselves to write interface-based wrappers of SimpleMembership for your unit testing needs, such as the SimpleMembership.Mvc3 package. Hopefully, by the time you read this book, there will also be an MVC 4 version, though the MVC 3 version should work just fine.

Install-Package SimpleMembership.Mvc3

This is a great approach, but not what we did in the NuGet Gallery. We had a legacy Users database to deal with that used a different storage format for the hashed passwords. We needed to ensure backwards compatibility with the existing stored passwords, while migrating new users to a more standard approach to storing hashed passwords.

We wrote our own interfaces, such as IUserService and IFormsAuthenticationService. If you look at the code closely, you'll notice that the methods and implementations are very similar to SimpleMembership.

Also take a look at UsersController. It implements the User Interface workflow code for membership and is modeled after the default ASP.NET Web Pages default project templates included with WebMatrix, but written in a clean, testable manner.

If I were starting a new web application from scratch, I'd probably follow the same approach we did with NuGet Gallery, but I'd have the concrete implementations of our interfaces simply call into the WebSecurity class.