Bill Gates PDC Speech Link

WSV320 - ASP.NET: Programming with the Membership, Role Managment and Security in ASP.NET Whidbey - NOTES


Rob Howard Speaking on Security in ASP.NET Whidbey

Rob Howard – Membership, Role Management and Security in ASP.NET Whidbey


Blog: and


Forms Authentication 1.0

  • Solves a common problem developers had with their web apps
  • Most popular Internet auth. Technique
    • No ugly/confusing dialog boxes
    • Custom authentication uses HTML UI
  • Use credentials collected on page
    • Posted back to the server
    • Page obtains credentials issues auth. Ticket
  • ASP.NET Forms Authentication APIs
    • APIs for creating authentication ticket
    • Authenticate requests in Http Pipeline 

Forms Authentication 2.0

  • Whidbey
  • Cookies no longer a requirement
    • When supported, Cookies still best choice
  • Single Forms Authentication model
    • Mobile & Desktop
    • All ASP.NET 2.0 controls are now mobile aware
    • No special device adapters or pages 


Cookieless Modes

useDeviceProfile – detects whether to use cookies based on the user agent of the device (default)

useCookies – all requests store ticket In cookie

auto – auto detects whether to use cookies or to store ticket in URI by attempting to send the user a cookie

useURI – all request store ticket in URI


Pretty cool – seems you might want to use useURI most of the case though.


Security Services Stack

  • Composed of the APIs of Membership and Role Manager
  • Back end to data – SQL 7&2000, Jet(Access) and Authorization Manager and User defined
  • Out of the box, at least three options
  • Didn’t want to force users into a data model
  • The ones we defined will work for most cases
  • Can also drop in your own business logic
  • For everyone of these data providers – there is actually a separate class
  • There is no business logic in the Membership and Role manager classes – it is all in the database providers
  • On top of all this – set of rich server controls 


  • Membership
    • Solves common credential storage problem
    • Replace complex authentication code
  • Secure Credential Storage Services
    • Hashed + randon salt for user credentials
    • Eliminates complex security plumbing code
  • Comprehensive user management
    • Credential Validation /Who is online
    • Question/Answer password reset/retrieve 

Membership.ValidateUser(username.Text, Password.Text)


Membership APIs



  • User management
    • Validate credentials
    • Creeate, Delete, Update
  • Finding/Getting Users
    • By Username/Email
    • Users online
  • Password management
    • Password reset
    • Question/Answer 

Can have two applications on the server that share the same users/passwords

There is also : CreateUser, DeleteUser, GetAllUsers, GetUser, GetUserNameByEmail, GetNumberOfUsersOnline, UpdateUser … more


MembershipUser Class


  • Membership.UpdateUser()
    • Used to update user properties
  • Access to user details
    • Last login date
    • Password change date
  • Disable authentication 

Membership configuration






requiresUniqueEmail attribute is cool.

description will show in ASP.NET tools.



  • Not just a data access layer – also the business layer
  • Users new Provider Design pattern
    • Pluggable Data Access Layer (DAL)
    • Pluggable Business Logic Layer (BLL)
  • Ships with 2 Membership Providers
    • SQL Server – Production Application
    • Access – testing/development
    • Identical APIs through Membership 

Writing Membership Providers

  • Implement IMembershipProvider
    • All methods properties for Membership
    • Will be bsttract base class in beta – for our versioning purposes
  • Register custom provider
    • Membership APIs then call your class
    • All logic in your class
    • If you want an Oracle provider – role your own 

DEMO of XML Membership Provider and derive from SqlMembershipProvider


Role Caching

  • When cookies are supported
    • Stores encrypted list of roles
    • No database lookups on each request
  • When cookies not supported
    • Role manager still works
    • Lookup to cached list in application
  • When more roles than cookie can store
    • Incremental Roles cookie
    • Stores LRU list of roles Roles Class
  • Role Management
    • Create, Update, Delete
    • IsUserInRole / Roles for User
  • Adding / Removing

Going back to Visual Basic?

I am not a fan of the official name “Visual Basic .NET” for the VB language. It was too bad that the .NET moniker name was thrown on everything. Microsoft obviously has as well since they changed the beta product “Windows Server .NET 2003” to “Windows Server 2003”. So I have been asking around if they are going to do the same thing with Visual Basic .NET. In most of the presentations here at PDC though - you see “Visual Basic .NET” - BUT if you go to the Whidbey page for this language - - you can see that they just call it “Visual Basic” and nothing else.

To me, I would like the official name to be - “Visual Basic 8.0” so we all can call it “Visual Basic” or “VB” again!!!