在ASP.NET中进行身份验证

Question

new to asp.net , currently using Session for login/logout

on login page i create a new session

          Session["login"]= anyvalue

on secure pages

 if(session["login"]!=null)
 {
   dostuff();
 }
 else
 Response.Redirect("login.aspx");

Is this an OK approach to authentication in asp.net? Should I be doing anything differently?

EDIT: Why downvotes ??? okay guys got it

Answer 1

You should use the ASP.NET membership framework. See here and here (section 7. security).

Answer 2

This approach should work fine, I too was recommended by a senior developer to write my own logic to authorize access over using the built in security mechanism (that includes login control)

You might want to add roles in the session as well

And to apply more security, you can store the session in SQL Server

Answer 3

So the basic "Asp.Net" way of doing this is to use the built-in MembershipProvider.

http://msdn.microsoft.com/en-us/library/sx3h274z(v=vs.100).aspx

There is a "baked in" MembershipProvider called the : SqlMembershipProvider

OR

If you already have a data-store with user names and passwords, you would implement a "custom membership provider".

---

Share a little more information, and you can get a little more help.

1. Where are you going to keep your usernames and passwords?
2. If you don't already have this, then please say that.
3. Is this a learning exercise, you're writing a webpage for your kids soccer club, or you're a professional web site (not necessarily asp.net) developer?