Whats the right way to implement a login form in MVC?

Question

I've been looking into building a custom MembershipProvider, and also an AccountController... and I'm just wondering, what's the right way to build a user login function into an MVC web application?

I can see how to build something using an AccountController, and I can see how to build something with a custom Membership provider, and I can see how to use both of them together. Should both of these be used? Has onw superseded the other? Is there a better, or more "standard" way of building a login function?

This is where I read about using an Account Controller and MembershipProvider together: http://kitsula.com/Article/Custom-Membership-Provider-for-MVC

This is where I read about using an Account Controller: http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7

And this is where I read about using a custom Membership Provider: http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider

All 3 solutions seem valid with MVC, but are some/all/one of these solutions outdated? or not supposed to be used with MVC etc...

I appreciate any assistance.

Answer 1

• MVC3 comes with ASP.NET Universal Providers which is an update version of legacy Membership Provider.

• MVC4 comes with Simple Membership Provider which is deprecated (I think).

• MVC5 comes with ASP.Net Identity

Basically, you can use any membership provider with ASP.Net MVC.

Back to the original question, I don't think there is right way or wrong way. If you want to implement Custom Membership Provider in new MVC5, you can.

If you are developing a new application and want latest technologies such as token based verification and two-factor authentication, you might want to look into ASP.Net Identity 2.

FYI: None of them are backward compatible (except ASP.NET Universal Providers which is somewhat compatible with legacy Membership Provider).

Answer 2

There is nothing special about an account controller. It's just a controller, like any other controller in an MVC application. It's just one who's function is to handle the process of logging in to your website. In general, you will have a controller that handles login, whether it's called an account controller or not. It's like having a login.aspx page, or a login.php page, or whatever.

Membership is a set of classes built into the .NET framework that handles the details of managing the persistence and verification of account credentials. It's job is purely to store an account, and to allow you to validate credentials.

As of Visual Studio 2012 and .NET 4.5, Membership is no longer the preferred method, but rather ASP.NET identity, which has a similar function to Membership (storing an account, and validating credentials).

Regardless, you must have some mechanism to allow the user to log in, and you must have some mechanism to validate credentials. I suggest you use the methods provided by the framework, as security is very difficult (despite the fact it seems easy) and doing it yourself is almost guaranteed to create security holes.

There is seldom a need to create a custom membership provider, unless you have a very specific need to store credential information in a specific way. if you use Membership, you should use the default membership providers unless you have a solid reason not to. If you use ASP.NET membership, use the default implementation, again, unless you have a reason not to.

Security is something everyone thinks they can roll themselves, but the problem is that you usually don't know enough to know how little you know. Even experts make mistakes in security quite often.

So, to answer your question...

In MVC, yes.. use an account controller... It's just another controller that handles logins. You have to do this somewhere anyways, just use the default implementation until you know a lot more about what you're doing. Use either the default membership, or ASP.NET Identity depending on which version of Visual Studio/MVC you have.