Summary

This rather long chapter introduced you to the theory and practice of securing all or part of your Web site or Web application so that visitors must identify themselves before they can view these pages. As you saw, ASP.NET provides a membership and roles management system that when set up is almost transparent in operation. It keeps track of users, roles, and the membership of each role. It also interfaces with the security server controls, such as the Login, CreateUserWizard, and PasswordRecovery controls, so that you do not have to write any code at all to implement a complete secured access system in your sites and applications.

ASP.NET includes default membership and roles providers, though you can create your own or use third-party versions if you prefer. The providers also expose an API that you can access in your code so that you can automate processes, add extensions you require for your sites, or tailor the way the system works.

The membership and role systems support both Forms authentication and Windows authentication, and so you can choose the approach that best suits your network and your requirements. Forms authentication works fine on any type of network and with devices that do not support cookies, whereas Windows authentication tends to be limited to intranets where the server can access Windows credentials for users and the account groups defined within Windows.

Alarge section of this chapter was devoted to walking through the processes of creating the database required for membership and roles management, creating and configuring users and roles, and understanding how the processes relate to the underlying workings of IIS and ASP.NET and the contents of the machine.config and web.config files. By now, you should have a more thorough understanding of the principles and practice of security and membership in ASP.NET. This understanding will be useful in the following chapter as well, where you see how ASP.NET also supports user-based personalization features.