I am working on creating a group of web pages to implement a standard set of code I can drop into any new projects for Membership Registration, Login, and Admin of Users and Roles. **I have 3 tables: ****WebUser - 1..M --> WebUserRole <-- N..1 - WebRole ** and I have standard web pages for login.aspx, register.aspx, forgotpassword.aspx, manageusers.aspx and manageroles.aspx.

ASSUMPTIONS: Db is Sql 2K, Authentication is "Forms", Clients will store Authenication tickets and data will be encrypted, all three tables have primary identity keys ( WebUserID, WebUserRoleID, WebRoleID ) and WebUserRole table is just a join table.

My questions are:

1. Is anyone doing something like this already? If so, do you have code to look at?

2. Do you encrypt and decrypt the UserName and Password? If so, where are you doing it? In Sql Server 2K or in the LLBLGen objects?

3. Do you create salt and hashes for this? If so, do you store it in your WebUser table?

4. Are you creating generic principal and identity objects and using IsInRoles for page authorization?

5. Do you create a separate stored proc or some other method to do the initial UserName and Password validation?

Thanks for all your help!

I think it is more suitable to have this thread in the architecture forum. Shall I move this thread to that forum?

Sure. That will be fine.

This is a lot of ground to cover... I'll tell you my opinion but I don't pretend that I do things the "best" or even "right" way.

Wade wrote:

1. Is anyone doing something like this already? If so, do you have code to look at?

1. I think every project I work on has something similar to this. I don't really have a project I could wrap up nicely for you, but I think the ideas are more important than the code for most things. I'll be glad to put up snippets for things you have specific questions about if you want.

Wade wrote:

1. Do you encrypt and decrypt the UserName and Password? If so, where are you doing it? In Sql Server 2K or in the LLBLGen objects?

1. If/when I encrypt, I do it in code between the User Interface and the LLBLGen objects. I usually use a homegrown encryptor class use to encrypt passwords before they hit the DB. I also use it to encrypt ID values that are displayed on a website. Encrypting/decrypting passwords like this is not nearly as secure as a 1-way hash, but I prefer to keep the ability to decrypt a password if needed. There are many who would say this is a bad habit because someone could decrypt the passwords if they were able to get my code. I am not sure that I disagree with them. It is a trade-off I make. If you want 'real' secure password encryption, see your next question.

Wade wrote:

1. Do you create salt and hashes for this? If so, do you store it in your WebUser table?

1. a. Not usually. b. When I do, yes. The DevDays2004 Smart Client demo program (IssueVision) (and the PPT slides/video that go with it) do a pretty good job of demonstrating both the hows and whys of salt/hash password storage.

Wade wrote:

1. Are you creating generic principal and identity objects and using IsInRoles for page authorization?

1. Yes. I often have Groups + Roles and not just Roles, so I use custom principal objects for that. If all you need is Role-based security on pages/folders, the built-in security in ASP.NET is quick, easy, and works quite well. Regardless of which type Principal I use, I set the role-based authorization on specific pages and folders in the Web.config and then use IsInRoles, etc, for certain user controls, functions, links, etc.

Wade wrote:

1. Do you create a separate stored proc or some other method to do the initial UserName and Password validation?

1. I think it depends on whether you want to be more anal about security or about performance or about ease-of-use. I usually pull a set of users that match the Username, verify that the count is 1, then compare the password. If the passwords match, I use the User.ID to pull the collection of Roles. You could do this in a stored proc or in your .net code, depending on where you want to do the coding. Having come from many small, quick web projects, I have become accustomed to doing this in a stored proc and have recently moved in the other direction but the pendulum may swing back the other way.