Principle and application of ASP.net 2.0 membership

Summary: The membership component of ASP.net 2.0 provides a very easy-to-use set of interfaces for user management and user authentication by developers. This paper makes a simple analysis of its implementation principle, and describes how to use it correctly and how to extend it.

First, MembershipProvider abstract class

In many cases, we do not use this class directly when using membership. The MembershipProvider class defines abstract methods and abstract properties, that is, these methods and properties form the basic specification of the membership interface, and the functionality used within the. NET Framework to use membership is invoked through this type. Inheriting classes provide user-management functionality without context and have no effect on the membership framework itself by implementing these interfaces, the following is a MembershipProvider definition:

public abstract class Membershipprovider:providerbase


... {


//Events


public event Membershipvalidatepasswordeventhandler Validatingpassword;


//Methods


protected MembershipProvider ();


public abstract bool ChangePassword (string username, string OldPassword, String newpassword);


public abstract bool Changepasswordquestionandanswer (string Username, string password, string newpasswordquestion, String newpasswordanswer);


Public abstract MembershipUser CreateUser (string Username, string password, string email, string passwordquestion, String Passwordanswer, bool isapproved, Object providerUserKey, out membershipcreatestatus status);


protected Virtual byte[] Decryptpassword (byte[) encodedpassword);


public abstract bool DeleteUser (string username, bool deleteallrelateddata);


Internal string Encodepassword (string pass, int passwordformat, string salt);


protected Virtual byte[] Encryptpassword (byte[) password);


public abstract Membershipusercollection findusersbyemail (string emailtomatch, int pageIndex, int pageSize, out int Totalrecords);


public abstract Membershipusercollection findusersbyname (string usernametomatch, int pageIndex, int pageSize, out in T totalrecords);


internal string generatesalt ();


Public abstract membershipusercollection getallusers (int pageIndex, int pageSize, out int totalrecords);


public abstract int getnumberofusersonline ();


Public abstract string GetPassword (string username, string answer);


public abstract MembershipUser GetUser (object providerUserKey, bool userisonline);


public abstract MembershipUser GetUser (string username, bool userisonline);


internal MembershipUser getuser (string username, bool userIsOnline, bool throwonerror);


Public abstract String Getusernamebyemail (string email);


protected virtual void Onvalidatingpassword (ValidatePasswordEventArgs e);


Public abstract String ResetPassword (string username, string answer);


Internal string Unencodepassword (string pass, int passwordformat);


public abstract bool Unlockuser (string userName);


public abstract void UpdateUser (MembershipUser user);


public abstract bool ValidateUser (string Username, string password);


//Properties


public abstract String ApplicationName ... {get; set;}


public abstract bool enablePasswordReset ... {get;}


public abstract bool enablePasswordRetrieval ... {get;}


public abstract int maxinvalidpasswordattempts ... {get;}


public abstract int minRequiredNonalphanumericCharacters ... {get;}


public abstract int minRequiredPasswordLength ... {get;}


public abstract int passwordAttemptWindow ... {get;}


public abstract Membershippasswordformat passwordformat ... {get;}


public abstract String passwordStrengthRegularExpression ... {get;}


public abstract bool requiresQuestionAndAnswer ... {get;}


public abstract bool requiresUniqueEmail ... {get;}


//Fields


private Membershipvalidatepasswordeventhandler _eventhandler;


Private Const int salt_size_in_bytes = 0x10;


}

Where modifiers are internal, several methods are used to encrypt, decrypt, and verify passwords. But the design here seems to have some problems, defining these methods as internal ranges seems a bit inappropriate, defining them in a base class to be able to be reused, but not in terms of effect, because the members of the internal are allowed to be used only in this assembly (normally, Other methods such as reflection are not included, which means that we cannot use these methods for our own extended membershipprovider. And from the current scope of application, these methods are only used in SqlMembershipProvider, so I think the method modifiers should be modified to protected.