I’m writing a custom password reset application that uses a validation technique that doesn’t fit cleanly with ASP.NET Membership Provider’s challenge questions.
Namely I need to invoke a workflow and collect information from the end user (backup phone number, email address) after the user logs in using a custom form.
The only way I know to create a cookie-based session (without too much “innovation” on my part) is to use WIF.
- What other standard objects can I use with ASP.NET MVC to create an authenticated session that works with non-windows user stores?
Ideally I can store “role” or claim information in the session object such as “admin”, “departmentXadmin”, “normalUser”, or “restrictedUser”
The workflow would look like this:
- User logs in with username and password
- If the username and pw are correct a (stateless) cookie based session is created
- The user gets redirected to a HTML form that allows them to enter their backup phone number (for SMS dual factor), or validate it if already set.
- The user can then change their password using the form provided
The “forgot password” would look like this
- User requests OTP code to be sent to the phone
- User logs in using username and OTP
- If the OTP is valid and not expired then create a cookie based session and redirect to a form that allows password reset
- Show password reset form, and process results.
4
First, check out the improved membership bits that were released with 4.5 — it should be easier to implement custom options on top of than the old creaky structure.
In either case, you can do some very effective “let the membership providers handle the major authentication and use your own database to handle extensions.” Even the old ones have a concept of account approval you can manage programmatically.
Another option would be to use ASP.NET’s authentication bits but roll your own backing. You can start with this article to get some of the basics and add on parts from there.
I’ve worked on writing my own simple authentication system named FSCAuth. It’s been out for a while, but it’s by no means “guaranteed” secure. Anyway, if you’re considering rolling your own authentication anyway(which is always risky), you might considering using my authentication framework as a jumping off point. It’s designed to be trivial to extend, but only implement what people actually care about.
One of it’s goals is to handle the cookie stuff for you and never leave you to mess with hash values(where you can make something insecure very subtely). However, your use case makes it sound like some modification would be in order.
I have a few “branches” of FSCAuth:
- BSD licensed with paid support option at Binpress
- Same copy as what’s at Binpress but easily browsable at bitbucket
- Integrated into my custom MVC framework(BSD). Not quite compatible with old version, but this version is in active development(and currently experimental), where the others are probably dead(due to lack of interest) at bitbucket