It belongs to the ASP.NET MVC project if you ask me. I usually add a new folder to the web project called "Security". I put stuff, like the Membership and Role provider implementations inside this folder.
You should ask yourself if you are going to share the implementations along other web projects, if so then you could create a seperate project called NameOfProject.Web.Mvc and put all your mvc related stuff, like the Membership and Role provider, HtmlHelpers, Filters etc. here.
I use the same approach to seperate my REST services, based on Web API from the MVC project by moving them to a seperate project called NameOfProject.Web.Http. This way it's very easy to build another client, like a console or winforms application that use the same service implementation as your other clients.
Here's an example of my project structure without a seperate project.
Example with a seperate project for MVC attributes
I hope this helps!
Good luck!