I'm updating my website at the moment and figure that if I am to update my login/security mode, now is a good time.
我正在更新我的网站,如果我要更新我的登录/安全模式,现在是一个好时机。
I have looked through the Membership model which is included in ASP.NET but I'm not convinced that it will provide any benefit apart from being familiar to other .NET developers.
我查看了ASP中包含的会员模型。NET,但是我不相信它会给其他。NET开发者带来任何好处。
There seems to be quite a lot of documentation for it, but little discussion for why its worth the effort.
这里似乎有很多文档,但是很少讨论为什么它值得这么做。
Can anybody shed some light upon this?
有人能解释一下吗?
9 个解决方案
#1
14
I see little benefit to using membership for a large site. This has been marketed as 'the' solution for ASP.Net authentication. However, really it looks like Microsoft is just trying to position the old Membership Server product as soemthing that everyone all of a sudden needs.
我认为在大型网站使用会员资格没什么好处。这被称为ASP的“解决方案”。网络身份验证。然而,看起来微软只是想把旧的会员服务器产品定位为每个人都突然需要的东西。
I worked on Membership Server at Msft around 10 years ago. Was also a lead developer on shop.microsoft.com, and I can tell you we used no internal server products on that site--not commerce server, not membership server. Not sure how they are doing it now--but I think the general consensus at that point was that those type of packages generally got in the way of what we were trying to do.
大约10年前,我在Msft的会员服务器工作。也是shop.microsoft.com的主要开发人员,我可以告诉您,我们在该站点上没有使用任何内部服务器产品——不是商业服务器,也不是会员服务器。我不知道他们现在是怎么做的——但我认为当时的普遍共识是,这些类型的包通常会阻碍我们正在尝试做的事情。
It could be useful for a smaller site, or if you have limited resources... i.e. a few hundred users for a departmental or small company intranet, where you don't want to invest much time or resources. The more I look at it, the more it seems completely inappropriate for larger, custom web sites.
它可能对较小的站点有用,或者如果资源有限……例如,一个部门或小公司的内部网有几百个用户,在那里你不想花太多时间或资源。我看得越多,就越不适合大型的定制网站。
What I really don't understand is how almost every ASP.Net book seems to push this as the only way to do it, rather than one way to do it.
我真正不明白的是几乎每一个ASP。Net book似乎把这个作为唯一的方法,而不是一种方法。
#2
9
I wrote my own after reading through all the stored procedures in the ASP.NET Membership provider. It's not hard and you have much more control at the end of the day.
在阅读了ASP中的所有存储过程之后,我编写了自己的程序。网会员提供者。这并不难,在一天结束的时候你有更多的控制权。
If you like XML configuration, weakly-typed strings for roles, insecure by default, random web.config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?!) go for the built-in one.
如果您喜欢XML配置,弱类型的角色字符串,默认不安全,随机web。配置文件都通过你的目录而不是一个干净的页面上标记接口类说“不需要帐户”,多个数据库连接次数为一个登录,用户从你当前的对象没有加载ObjectContext / DataContext动态和能力改变提供者(呜呼,谁使用? !)内置的一个。
If not, build your own, but if you do, make sure you store an encrypted/salted hash of your passwords, and do a proper encrypted cookie please.
如果不是,那就建立你自己的,但是如果你这样做了,确保你储存了一个加密的/咸的你的密码,并做一个适当的加密饼干。
[Updated to reflect feedback in comments]
[更新以反映意见的回应]
#3
6
Unless you are the only person who will ever work on this particular site, I think the fact that it is familiar to .NET developers is a good reason to go the built-in Membership route. Other developers with ASP.NET experience can jump into the project and get up to speed on your site's authentication/authorization model very quickly.
除非你是唯一一个会在这个网站上工作的人,否则我认为。net开发人员很熟悉这个事实,这是一个很好的理由去使用内置的成员关系。其他开发人员与ASP。NET experience可以快速进入项目,并快速地对站点的身份验证/授权模型进行升级。
We use the built-in Membership and Role provider model on our site and it works very well...we had to write our own Provider classes, since we use a different backing store for the data (we use Microsoft Dynamics CRM), but these classes are pretty simple and well-documented. By doing this bit of work up front, we can now use the Membership and Roles classes in code as well as the various login-related server controls on our pages.
我们在我们的网站上使用了内置的会员和角色提供程序模型,而且效果很好……我们必须编写自己的提供程序类,因为我们使用不同的数据支持存储(我们使用Microsoft Dynamics CRM),但是这些类非常简单,并且有很好的文档说明。通过在前面做这些工作,我们现在可以在代码中使用成员和角色类,以及在我们的页面上使用各种登录相关的服务器控件。
Is there another alternative that you are considering?
你还有别的选择吗?
#4
3
The only thing I really hate about the MembershipProvider that comes with .Net is the fact that the userid is a GUID instead of an auto incrementing identity. I know there are bonuses to using a GUID but integrating it into pre-existing systems or modules can be a pain.
net附带的MembershipProvider唯一让我讨厌的是,userid是GUID而不是自动递增的标识。我知道使用GUID是有好处的,但是将它集成到已经存在的系统或模块中会很痛苦。
#5
1
It is there simply so that you do not have to roll your own.
它的存在只是为了让你不需要自己滚动。
#6
0
It's value is that it is an easy to use ready built role based security framework. If you have already built your own framework and migration is not trivial then it may not be worth it. But one benefit of migrating would be you could eliminate a lot of application code and replace with framework code.
它的价值在于,它是一种易于使用的、基于角色的安全框架。如果您已经构建了自己的框架,并且迁移是非常重要的,那么它可能不值得。但是迁移的一个好处是您可以删除大量的应用程序代码,并用框架代码替换它们。
#7
0
If you ever want to migrate your site to any kind of already made portal software - like Community Server or DotNetNuke using the membership provider allows for easy migration. You can even use the existing database and not have to implement new ones.
如果您想要将您的站点迁移到任何类型的门户软件,比如社区服务器或使用成员提供程序的DotNetNuke,可以方便地迁移。您甚至可以使用现有的数据库,而不必实现新的数据库。
#8
0
I think a compelling feature of ASP.NET Membership, Role and Profile is that it uses the provider model. If you aren't happy with it the way it is, it is not difficult to roll your own from the base classes. If you look at codeplex.com you can find probably a dozen or more custom providers that people have written. I wrote one for the SQLite database a few years ago.
我认为ASP的一个引人注目的特性。NET成员、角色和配置文件是使用提供者模型的。如果您对它的现状不满意,那么从基类中滚动自己的类并不困难。如果你看看codeplex.com,你可以找到十几个或者更多的定制提供商。几年前我为SQLite数据库写了一篇文章。
#9
0
The Membership route works well BUT there is one fatal flaw and I do not blame Microsoft for it.
会员路线很好,但是有一个致命的缺点,我不怪微软。
Internet Explorer is the only browser that properly disposes of the authentication cache.
Internet Explorer是唯一正确配置身份验证缓存的浏览器。
You can close a Firefox browser, open it and then restore that last session and go right back into your "secure" website without logging in. Chrome has similar issues and anything Mac does the same.
您可以关闭Firefox浏览器,打开它,然后恢复上次的会话,然后回到您的“安全”网站,而无需登录。Chrome也有类似的问题,Mac也有类似的问题。
IE has a javascript call that handles this correctly: document.execCommand("ClearAuthenticationCache", "false");
IE有一个javascript调用来正确地处理这个:document。execCommand(“ClearAuthenticationCache”,“假”);
It does not work with any other browser. If you use this you need to force users to use IE.
它不能与任何其他浏览器一起工作。如果你使用这个,你需要强迫用户使用IE。
#1
14
I see little benefit to using membership for a large site. This has been marketed as 'the' solution for ASP.Net authentication. However, really it looks like Microsoft is just trying to position the old Membership Server product as soemthing that everyone all of a sudden needs.
我认为在大型网站使用会员资格没什么好处。这被称为ASP的“解决方案”。网络身份验证。然而,看起来微软只是想把旧的会员服务器产品定位为每个人都突然需要的东西。
I worked on Membership Server at Msft around 10 years ago. Was also a lead developer on shop.microsoft.com, and I can tell you we used no internal server products on that site--not commerce server, not membership server. Not sure how they are doing it now--but I think the general consensus at that point was that those type of packages generally got in the way of what we were trying to do.
大约10年前,我在Msft的会员服务器工作。也是shop.microsoft.com的主要开发人员,我可以告诉您,我们在该站点上没有使用任何内部服务器产品——不是商业服务器,也不是会员服务器。我不知道他们现在是怎么做的——但我认为当时的普遍共识是,这些类型的包通常会阻碍我们正在尝试做的事情。
It could be useful for a smaller site, or if you have limited resources... i.e. a few hundred users for a departmental or small company intranet, where you don't want to invest much time or resources. The more I look at it, the more it seems completely inappropriate for larger, custom web sites.
它可能对较小的站点有用,或者如果资源有限……例如,一个部门或小公司的内部网有几百个用户,在那里你不想花太多时间或资源。我看得越多,就越不适合大型的定制网站。
What I really don't understand is how almost every ASP.Net book seems to push this as the only way to do it, rather than one way to do it.
我真正不明白的是几乎每一个ASP。Net book似乎把这个作为唯一的方法,而不是一种方法。
#2
9
I wrote my own after reading through all the stored procedures in the ASP.NET Membership provider. It's not hard and you have much more control at the end of the day.
在阅读了ASP中的所有存储过程之后,我编写了自己的程序。网会员提供者。这并不难,在一天结束的时候你有更多的控制权。
If you like XML configuration, weakly-typed strings for roles, insecure by default, random web.config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?!) go for the built-in one.
如果您喜欢XML配置,弱类型的角色字符串,默认不安全,随机web。配置文件都通过你的目录而不是一个干净的页面上标记接口类说“不需要帐户”,多个数据库连接次数为一个登录,用户从你当前的对象没有加载ObjectContext / DataContext动态和能力改变提供者(呜呼,谁使用? !)内置的一个。
If not, build your own, but if you do, make sure you store an encrypted/salted hash of your passwords, and do a proper encrypted cookie please.
如果不是,那就建立你自己的,但是如果你这样做了,确保你储存了一个加密的/咸的你的密码,并做一个适当的加密饼干。
[Updated to reflect feedback in comments]
[更新以反映意见的回应]
#3
6
Unless you are the only person who will ever work on this particular site, I think the fact that it is familiar to .NET developers is a good reason to go the built-in Membership route. Other developers with ASP.NET experience can jump into the project and get up to speed on your site's authentication/authorization model very quickly.
除非你是唯一一个会在这个网站上工作的人,否则我认为。net开发人员很熟悉这个事实,这是一个很好的理由去使用内置的成员关系。其他开发人员与ASP。NET experience可以快速进入项目,并快速地对站点的身份验证/授权模型进行升级。
We use the built-in Membership and Role provider model on our site and it works very well...we had to write our own Provider classes, since we use a different backing store for the data (we use Microsoft Dynamics CRM), but these classes are pretty simple and well-documented. By doing this bit of work up front, we can now use the Membership and Roles classes in code as well as the various login-related server controls on our pages.
我们在我们的网站上使用了内置的会员和角色提供程序模型,而且效果很好……我们必须编写自己的提供程序类,因为我们使用不同的数据支持存储(我们使用Microsoft Dynamics CRM),但是这些类非常简单,并且有很好的文档说明。通过在前面做这些工作,我们现在可以在代码中使用成员和角色类,以及在我们的页面上使用各种登录相关的服务器控件。
Is there another alternative that you are considering?
你还有别的选择吗?
#4
3
The only thing I really hate about the MembershipProvider that comes with .Net is the fact that the userid is a GUID instead of an auto incrementing identity. I know there are bonuses to using a GUID but integrating it into pre-existing systems or modules can be a pain.
net附带的MembershipProvider唯一让我讨厌的是,userid是GUID而不是自动递增的标识。我知道使用GUID是有好处的,但是将它集成到已经存在的系统或模块中会很痛苦。
#5
1
It is there simply so that you do not have to roll your own.
它的存在只是为了让你不需要自己滚动。
#6
0
It's value is that it is an easy to use ready built role based security framework. If you have already built your own framework and migration is not trivial then it may not be worth it. But one benefit of migrating would be you could eliminate a lot of application code and replace with framework code.
它的价值在于,它是一种易于使用的、基于角色的安全框架。如果您已经构建了自己的框架,并且迁移是非常重要的,那么它可能不值得。但是迁移的一个好处是您可以删除大量的应用程序代码,并用框架代码替换它们。
#7
0
If you ever want to migrate your site to any kind of already made portal software - like Community Server or DotNetNuke using the membership provider allows for easy migration. You can even use the existing database and not have to implement new ones.
如果您想要将您的站点迁移到任何类型的门户软件,比如社区服务器或使用成员提供程序的DotNetNuke,可以方便地迁移。您甚至可以使用现有的数据库,而不必实现新的数据库。
#8
0
I think a compelling feature of ASP.NET Membership, Role and Profile is that it uses the provider model. If you aren't happy with it the way it is, it is not difficult to roll your own from the base classes. If you look at codeplex.com you can find probably a dozen or more custom providers that people have written. I wrote one for the SQLite database a few years ago.
我认为ASP的一个引人注目的特性。NET成员、角色和配置文件是使用提供者模型的。如果您对它的现状不满意,那么从基类中滚动自己的类并不困难。如果你看看codeplex.com,你可以找到十几个或者更多的定制提供商。几年前我为SQLite数据库写了一篇文章。
#9
0
The Membership route works well BUT there is one fatal flaw and I do not blame Microsoft for it.
会员路线很好,但是有一个致命的缺点,我不怪微软。
Internet Explorer is the only browser that properly disposes of the authentication cache.
Internet Explorer是唯一正确配置身份验证缓存的浏览器。
You can close a Firefox browser, open it and then restore that last session and go right back into your "secure" website without logging in. Chrome has similar issues and anything Mac does the same.
您可以关闭Firefox浏览器,打开它,然后恢复上次的会话,然后回到您的“安全”网站,而无需登录。Chrome也有类似的问题,Mac也有类似的问题。
IE has a javascript call that handles this correctly: document.execCommand("ClearAuthenticationCache", "false");
IE有一个javascript调用来正确地处理这个:document。execCommand(“ClearAuthenticationCache”,“假”);
It does not work with any other browser. If you use this you need to force users to use IE.
它不能与任何其他浏览器一起工作。如果你使用这个,你需要强迫用户使用IE。