Agenda

y Membership Service
y Role Management Service
y Custom membership service
Membership Service
y Manages users and credentials
y Declarative access via WS Admin Tool
y Programmatic access via Membership API
y Simplifies forms authentication
y Provides logic for validating user names and passwords, 
creating users.
y Manages data store for credentials, e‐mail addresses, and 
other membership data
y Provider‐based for flexible data storage
Membership Schema
Controls Other
Other
Login
Login LoginStatus
LoginStatus LoginView
LoginView Controls
Controls

Membership API

Membership
Membership MembershipUser
MembershipUser

Membership Providers

SqlMembershipProvider
SqlMembershipProvider

Membership
Data
SQL Server
SQL Server Express
The Membership Class
y Provides static methods for performing key 
membership tasks
y Creating and deleting users
y Retrieving information about users
y Generating random passwords
y Validating logins
y Includes read‐only static properties for acquiring data 
about provider settings
The MembershipUser Class
y Represents individual users registered in the 
membership data store
y Includes numerous properties for getting and setting 
user info
y Includes methods for retrieving, changing, and 
resetting passwords
y Returned by Membership methods such as GetUser 
and CreateUser
Key Membership Methods
Name Description

CreateUser Adds a user to the membership data store

DeleteUser Removes a user from the membership data store

GeneratePassword Generates a random password of a specified length

Retrieves a collection of MembershipUser objects

GetAllUsers representing all currently registered users

GetUser Retrieves a MembershipUser object representing a user

UpdateUser Updates information for a specified user

ValidateUser Validates logins based on user names and passwords

Creating New Users
try {
Membership.CreateUser ("Jeff", "imbatman!",
"jeff@microsoft.com");
}
catch (MembershipCreateUserException e) {
// Find out why CreateUser failed
switch (e.StatusCode) {

case MembershipCreateStatus.DuplicateUsername:
...
case MembershipCreateStatus.DuplicateEmail:
...
case MembershipCreateStatus.InvalidPassword:
...
default:
...
}
}
Validating Logins
if (Membership.ValidateUser (UserName.Text, Password.Text))
FormsAuthentication.RedirectFromLoginPage (UserName.Text,
RememberMe.Checked);
Key MembershipUser Properties
Name Description

Comment Storage for user-defined data

CreationDate Date user was added to the membership data store

Email User's e-mail address

LastLoginDate Date user last logged in successfully

LastPassword-
Date user's password was last changed
ChangedDate

ProviderUserKey Unique user ID generated by membership provider

UserName User's registered user name

Key MembershipUser Methods
Name Description

ChangePassword Changes user's password

ChangePassword- Changes question and answer used for password

QuestionAndAnswer recovery

GetPassword* Retrieves a password

Resets a password by setting it

ResetPassword**
to a new random password

UnlockUser Restores suspended login privileges

* Works if Membership.EnablePasswordRetrieval is true

** Works if Membership.EnablePasswordReset is true
Restoring Login Privileges
MembershipUser user = Membership.GetUser ("Jeff");

if (user != null) {
if (user.IsLockedOut) {
user.UnlockUser ();

// TODO: Optionally use MembershipUser.ResetPassword

// to reset Jeff's password

}
}
Aspnet_regsql.exe
y Tool for creating database used by 
SqlMembershipProvider and other SQL Server 
providers  
(C:\WINDOWS\Microsoft.NET\Framework\v2.0.5072
7\Aspnet_regsql.exe)
Using the Login Control
<html>
<body>
<form runat="server">
<asp:Login RunAt="server" />
</form>
</body>
</html>
Configuring the Membership 
Service
<membership defaultProvider="AspNetSqlMembershipProvider"
userIsOnlineTimeWindow = "00:15:00"
hashAlgorithmType = "[SHA1|MD5]"
>
<providers>
...
</providers>
</membership>
Membership Providers
y Membership is provider‐based
y Provider provides interface between Membership 
service and data store
y Ships with one membership provider
y SqlMembershipProvider (SQL Server and SQL Server 
Express)
y Use custom providers for other Membership data 
stores
 Configuring 
SqlMembershipProvider
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<add name="AspNetSqlMembershipProvider"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="[true|false]"
enablePasswordReset="[true|false]"
requiresQuestionAndAnswer="[true|false]"
applicationName="/"
requiresUniqueEmail="[true|false]"
passwordFormat="[Clear|Encrypted|Hashed]"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
type="System.Web.Security.SqlMembershipProvider,
System.Web, ..."
/>
</providers>
</membership>
Login Controls
Name Description

ChangePassword UI for changing passwords

CreateUserWizard UI for creating new user accounts

Login UI for entering and validating user names and passwords

LoginName Displays authenticated user names

LoginStatus UI for logging in and logging out

LoginView Displays different views based on login status and roles

PasswordRecovery UI for recovering forgotten passwords

The Login Control
y Standard UI for logging in users
y Integrates with Membership service
y Calls ValidateUser automatically
y No‐code validation and logins
y Also works without Membership service
y Incorporates RequiredFieldValidators
y Highly customizable UI and behavior
Role Management Service
y Role‐based security in a box
y Declarative access via WS Admin Tool
y Programmatic access via Roles API
y Simplifies adding role‐based security to sites that 
employ forms authentication
y Maps users to roles on each request
y Provides data store for role information
y Provider‐based for flexible data storage
Role Management Schema
Controls Other
Login LoginStatus LoginView Other
Login LoginStatus LoginView Controls
Controls

Roles API
Roles
Roles

Role Providers

SqlRoleProvider
SqlRoleProvider Other Role Providers
Other Role Providers

Roles Data

SQL Server Other
SQL Server
Express Data Stores
The Roles Class
y Gateway to the Role Management API
y Provides static methods for performing key role 
management tasks
y Creating and deleting roles
y Adding users to roles
y Removing users from roles and more
y Includes read‐only static properties for acquiring data 
about provider settings
Key Roles Methods
Name Description

AddUserToRole Adds a user to a role

CreateRole Creates a new role

DeleteRole Deletes an existing role

GetRulesForUser Gets a collection of roles to which a user belongs

GetUsersInRole Gets a collection of users belonging to a specified role

IsUserInRole Indicates whether a user belongs to a specified role

RemoveUserFromRole Removes a user from the specified role

Creating a New Role
if (!Roles.RoleExists ("Developers")) {
Roles.CreateRole ("Developers");
}
Adding a User to a Role
string name = Membership.GetUser ().Username; // Get current
user
Roles.AddUserToRole (name, "Developers"); // Add current
user to role
Enabling the Role Manager
y Role manager is disabled by default
y Enable it via Web.config:

<configuration>
<system.web>
<roleManager enabled="true" />
</system.web>
</configuration>
Configuring the Role Manager
<roleManager enabled="[true|false]"
defaultProvider="AspNetSqlRoleProvider"
createPersistentCookie="[true|false]"
cacheRolesInCookie="[true|false]"
cookieName=".ASPXROLES"
cookieTimeout="00:30:00"
cookiePath="/"
cookieRequireSSL="[true|false]"
cookieSlidingExpiration="[true|true]"
cookieProtection="[None|Validation|Encryption|All]"
domain=""
maxCachedResults="25"
>
<providers>
...
</providers>
</roleManager>
Configuring SqlRoleProvider
<roleManager defaultProvider="AspNetSqlRoleProvider" ...>
<providers>
<add applicationName="/"
connectionStringName="LocalSqlServer"
name="AspNetSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider, System.Web,
..."
/>
</providers>
</roleManager>
custom membership provider
Custom membership provider is to create a class that extends the
MembershipProvider class. 
y This class has a long set of methods. 
y 3 methods and 2 properties ‐ one to validate a user.
y one to find a user by username and one to register a new user and the 
properties to return the minimum password length and whether 
duplicate email is allowed. 
y To get started, create a new ASP.NET MVC 2 project (not an empty
project) and name it CustomMembershipProvider. Then in your 
Models folder, create a class called CustomMembershipProvider. 
y This class will be extending the abstract MembershipProvider class. 
Given below is the CustomMembershipProvider provider class, with 
only the 3 methods we require being listed. MembershipProvider is 
included in the System.Web.Security and so you may have to add a 
reference to that namespace. 
Example for CustomMembership
user
public class CustomMembershipProvider : MembershipProvider
{ 
public override MembershipUser CreateUser(string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object 
providerUserKey, out MembershipCreateStatus status) 
{ 
throw new NotImplementedException();
} 
public override MembershipUser GetUser(string username, bool userIsOnline)
{ throw new NotImplementedException(); 
}
public override bool ValidateUser(string username, string password) 
{ 
throw new NotImplementedException(); 
} 
public override int MinRequiredPasswordLength
{ 
get 
{ 
throw new NotImplementedException(); 
} 
} 
public override bool RequiresUniqueEmail
{ 
Get
{ 
throw new NotImplementedException(); 
}
}
}
Web.config
y <connectionStrings> <add name="ApplicationServices" 
connectionString="Server=your_server;Database=your_db; 
Uid=your_user_name;Pwd=your_password;" 
providerName="System.Data.SqlClient" /> </connectionStrings> 
<authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" 
timeout="2880" /> </authentication> <membership 
defaultProvider="CustomMembershipProvider"> <providers> <clear/> 
<add name="CustomMembershipProvider" 
type="CustomMembership.Models.CustomMembershipProvider" 
connectionStringName="AppDb" enablePasswordRetrieval="false" 
enablePasswordReset="true" requiresQuestionAndAnswer="false" 
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" 
minRequiredPasswordLength="6" 
minRequiredNonalphanumericCharacters="0" 
passwordAttemptWindow="10" applicationName="/" /> </providers>
 Managing Creation/Validation  
of Users     
public class User
{
private Table<UserObj> usersTable; 
private DataContext context; 
public User()
{ string connectionString = ConfigurationManager.ConnectionStrings["AppDb"].ConnectionString; context = new DataContext(connectionString); 
usersTable = context.GetTable<UserObj>(); 
}
public UserObj GetUserObjByUserName(string userName, string passWord)
{
UserObj user = usersTable.SingleOrDefault( u => u.UserName == userName && u.Password == passWord);
return user;
} 
public UserObj GetUserObjByUserName(string userName)
{ 
UserObj user = usersTable.SingleOrDefault(u => u.UserName == userName); 
return user; 
} 
public IEnumerable<UserObj> GetAllUsers() 
{ 
return usersTable.AsEnumerable(); }

public int RegisterUser(UserObj userObj) 

{ 
UserObj user = new UserObj(); 
user.UserName = userObj.UserName;
user.Password = userObj.Password;
user.UserEmailAddress = userObj.UserEmailAddress;
usersTable.InsertOnSubmit(user)
; context.SubmitChanges();
return user.UserID;
}
}
Sample code for 
CustomMembership Provider
public class CustomMembershipProvider : MembershipProvider
{
public override MembershipUser CreateUser(string username, string password, string email, string passwordQuestion, string passwordAnswer, 
bool isApproved, object providerUserKey, out MembershipCreateStatus status) 
{ 
ValidatePasswordEventArgs args = new ValidatePasswordEventArgs(username, password, true); 
OnValidatingPassword(args); 
if (args.Cancel) 
{
status = MembershipCreateStatus.InvalidPassword; return null; 
}
if (RequiresUniqueEmail && GetUserNameByEmail(email) != string.Empty) 
{ 
status = MembershipCreateStatus.DuplicateEmail; return null; 
} 
MembershipUser user = GetUser(username, true); 
if (user == null) 
{ 
UserObj userObj = new UserObj();
userObj.UserName = username;
userObj.Password = GetSHA1Hash(password); 
userObj.UserEmailAddress = email; 
User userRep = new User();
userRep.RegisterUser(userObj);
status = MembershipCreateStatus.Success;
return GetUser(username, true);
}
 else
{
status = MembershipCreateStatus.DuplicateUserName; 
} 
return null; 
}
public override MembershipUser GetUser(string username, bool userIsOnline) {
User userRep = new User(); 
UserObj user = userRep.GetAllUsers().SingleOrDefault (u => u.UserName == username);
if (user != null) 
{ 
MembershipUser memUser = new MembershipUser("CustomMembershipProvider", username, user.UserID, user.UserEmailAddress, 
string.Empty, string.Empty, true, false, DateTime.MinValue, DateTime.MinValue, DateTime.MinValue, DateTime.Now, 
DateTime.Now); 
return memUser; 
} 
return null; 
} 
public override bool ValidateUser(string username, string password) 
{ 
string sha1Pswd = GetMD5Hash(password); 
User user = new User(); 
UserObj userObj = user.GetUserObjByUserName(username, sha1Pswd); 
if (userObj != null) return true; 
return false;
} 
public override int MinRequiredPasswordLength
{
get
{ return 6; 
} 
} 
public override bool RequiresUniqueEmail
{ // In a real application, you will essentially have to return true // and implement the GetUserNameByEmail method to identify duplicates
get 
{ 
return false; 
} 

} 
public static string GetMD5Hash(string value)
{ MD5 md5Hasher = MD5.Create();
byte[] data = md5Hasher.ComputeHash(Encoding.Default.GetBytes(value));
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < data.Length; i++)
{
sBuilder.Append(data[i].ToString("x2")); 
}
return sBuilder.ToString(); 
} 
}
Thank You