Basic Authentication with the ASP.NET Membership API

If you are an ASP.NET developer, you are probably familiar with both membership and HTTP basic authentication. If you are familiar with IIS’s different authentication methods, you also know that the only way to use HTTP authentication on IIS to verify the credentials against the Windows account store. In this post, we’ll discuss how you can get IIS to use basic authentication against an ASP.NET Membership store.

The second question you should ask yourself, why would you want to do this? After all, basic authentication has some serious drawbacks, most namely that credentials are sent as plain text when you don’t use SSL, and you can’t force users to sign out due to HTTP’s stateless nature (most browsers cache the credentials until you close the browser window).

Next to that, there are also some benefits to using basic authentication in combination with IIS. Namely: it provides a generic interface for authentication supported by all clients that implement the HTTP protocol, using membership you can share credentials over several web applications. It is platform independent (it doesn’t matter if you use classic ASP, PHP, ASP.NET or anything else that runs on IIS).

So to be more concrete, how do we implement this feature? We implement an System.Web.IHttpModule and handle the AuthenticateRequest event. For more details on how to implement this, download the attachment to this post.

The module can be configured with the following options:

<authenticationSection xmlns="urn:BasicAuthenticationModule" enabled="true" realm="test"
requireAuthentication="true" requireSsl="false">
<cache enableCache="false" cacheDurationMinutes="1"/>
<roles enableRoles="true" applicationRoleName="sample"/>
</authenticationSection>

• /authenticationSection/enabled defines to use the module or not
• /authenticationSection/realm the text to be displayed in the login dialog
• /authenticationSection/requireAuthentication allow both anonymous and authenticated users to login (your application logic can then handle these situations accordingly.
• /authenticationSection/requireSsl if set to true users can’t authenticated if the request wasn’t made over an https request
• /authenticationSection/cache/enableCache if enabled the authentication key of the user is cached for the defined period. You might want to enable this because http is stateless every request to the server is authenticated, thus making a round trip to the database. This includes CSS files, images and JavaScript files so it can be easily 15 database requests per page without caching.
• /authenticationSection/cache/cacheDuration the duration of the cache in minutes
• /authenticationSection/roles/enableRoles enable your application to roles. This feature is useful when you share your membership database over several applications, you can then assign every application as a role, allowing you to configure to which applications a user has access.
• /authenticationSection/roles/applicationRoleName - The name of the role/application that will be used to assign rights to users.

To start using the application, you have to either copy the .dll in the download to the bin folder or add the DLL to the Global Assembly Cache so that all your applications can use it in IIS. Next, you have to make sure you have the following sections included and configured in your web.config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
   <configSections>
      <section name="authenticationSection" 
      type="BasicAuthenticationModule.AuthenticationSection, 
      BasicAuthenticationModule"/>
   </configSections>
   <authenticationSection xmlns="urn:BasicAuthenticationModule" 
   enabled="true" realm="dex test" 
   requireAuthentication="true" requireSsl="false"> 
      <cache enableCache="false" 
      cacheDurationMinutes="1″/>
      <roles enableRoles="true" 
      applicationRoleName="sample"/>
   </authenticationSection>
   <connectionStrings>
      <add name="ApplicationServices" 
      connectionString="data source=.;Integrated Security=SSPI;
      AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" 
      providerName="System.Data.SqlClient" />
    </connectionStrings>
   <system.web>
   <membership>
      <providers>
         <clear />
         <add name="AspNetSqlMembershipProvider" 
         type="System.Web.Security.SqlMembershipProvider" 
         connectionStringName="ApplicationServices" 
         enablePasswordRetrieval="false" 
         enablePasswordReset="true" 
         requiresQuestionAndAnswer="false" 
         requiresUniqueEmail="false" maxInvalidPasswordAttempts="5″ minRequiredPasswordLength="6″ 
         minRequiredNonalphanumericCharacters="0″ 
         passwordAttemptWindow="10″ applicationName="/" />
       </providers>
   </membership>
   <roleManager enabled="true">
      <providers>
      <clear />
      <add name="AspNetSqlRoleProvider" 
      type="System.Web.Security.SqlRoleProvider" 
      connectionStringName="ApplicationServices" 
      applicationName="/" />
    </providers>
   </roleManager>
</system.web>
<system.webServer>
   <validation validateIntegratedModeConfiguration="false" />
   <modules runAllManagedModulesForAllRequests="true">
   <add name="CustomBasicAuthentication"
       type="BasicAuthenticationModule.AuthenticationModule, 
       BasicAuthenticationModule" />
</modules>
</system.webServer>
</configuration>

I’m assuming you already know how to setup the membership database. If not, you can find more information on the MSDN page on configuring membership.

Resources

• Download the Basic Authentication Module for IIS
• Use this framework to configure Membership Users or integrate Membership into your ASP.NET MVC Application