ASP.NET FormsAuthentication frustration: how can I wire up a custom MembershipProvider?
https://stackoverflow.com/questions/8056650
-
24-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
It seems I was not expressing my question well, so I am adding this as a supplemental title: How can I extend the FormsAuthentication class so that I can override default behaviors in a configuration file (for example, pass off execution control to the MembershipProvider for updating the MembershipUser's LastActivity on a new page request), and, failing that, replace the mechanism of the FormsAuthentication class with my own custom class and use that as the FormsAuthentication class would normally be used?
How do we implement a less ridiculously rigid, more extensible FormsAuthentication framework that will allow us to integrate into a custom MembershipProvider? Has there been any work on this? Ultimately, I'd like to put in my web.config something like this:
<authentication mode="Forms">
<forms membershipProvider="MyCustomMembershipProvider">
<events>
<add event="AuthenticatedRequest" action="OnAuthRequest" />
<add event="UnAuthenticatedRequest" action="OnRequest" />
<add event="UnAuthorizedRequest" action="UnAuthRequest" />
</events>
</forms>
</authentication>
This shouldn't be taking up all my time. The Forms Authentication seems to be pretty low-level in the ASP.NET page lifecycle, but there's got to be a way to cleanly circumvent it.
This is not about the custom membership provider. I want to implement things in my membership provider class like the implied "IsOnline" and "LastActivity" functionality, but the FormsAuthentication sets the cookie and doesn't look back. I want to inject my own code when it checks that cookie, but I can't. There has to be a way other than layering my own cookie on top.
Solution
No, it doesn't work that way. The membership provider doesn't get authenticated requests or unauthenticated requests. In fact, it has very little to do with authentication. That's handled by the security framework. Membership is only used as the means to validate someones username and password. That's it. You can think of Membership as a data store that the security framework uses to authenticate the user, but it does not do the management of the authentication itself.
This article might be what you're looking for:
http://www.asp.net/security/tutorials/forms-authentication-configuration-and-advanced-topics-cs
OTHER TIPS
Based on your update, you could create a custom membership provider as mentioned in the linked question that inherits from SqlMembershipProvider, overriding any functionality that you want to change.
You are correct in that Forms Authentication simply creates a cookie; that's all that its meant to do - help your application determine if your user is logged in. The Membership part is what tells you IsOnline and LastActivity and other user information.
If you could let us know what membership functionality you wish to override, we can try to help as you haven't given us enough detail yet.
