
Are they sufficient in terms of security for use in a public site? OR so I need to make modifications?

Was it helpful?


Are you asking about the membership and role providers or the skeleton controller actions and view? The membership and role providers certainly support secure storage for passwords and allow you to secure your application adequately. I found them to be a little overkill for the kinds of things that I do so I opted to implement my own. As far as the controller actions, they are just skeletons and you should expect to modify them to fit your authentication scenarios. For one thing you may want to set things up to require secure connections when transmitting passwords. If you choose to redirect afterwards to a non-secure connection, you'll need to manually manipulate the redirect url since the default routing doesn't support (or at least didn't in MVC Beta) changing back from secure to non-secure protocols.

The bottom line is that you still need to make sure that you are handling the data securely whether you are using MVC or WebForms. The layout of the controllers and basic set up is an adequate start, but you need to make sure that it fits your security requirements.


It really depends on what kind of site you're making, but I'd probably not deploy the AccountController as-is. It's sample code which demonstrates the mechanics of using the MembershipProvider.

For example, some things to consider:

  1. You might include CAPTCHA with Registration
  2. The default template doesn't actually protect anything with an [Authorize] attribute. If you require a login, you probably want to have controllers and actions which require authorization.


Always take responsibility for your own site's security. I would do a threat model and figure out just how secure your site needs to be. For example, some sites require two factor authentication with something like an RSA keyfob. That's not included with the default template. I'd argue most sites don't need that level. ;) Point is, it depends on your specific needs. Hope that helps!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top