I'm trying to decide if we should use the ASP.Net 2.0 authentications tools
or role-our-own forms authentication as we always did (with little work) in
1.1 apps. what I'm afraid of is that we will get stuck on a cul-de-sac as
we sometimes do using those "no code required" tools.

I see I can define users and roles and access to folders but can I add my
own data about the users - for instance I would certainly need their
employee number or maybe other things about them such a which fields they
can see on the payroll file. Can I do this? Is this what Profiles are for?

Are there any gotchas in these tools? ( I know there are no gottchas in the
role-our-own solution).

Thanks,
Gary Blakely

That's an excellent question!

The one important point here is - membership is not made for extensibility.
If the membership feature does 100% what you need - go for it. If not - there
is no point in doing providers for providers sake.

You cannot add additional data to the memership table (at least not in a
clean way) - that's what profile is for.

That said - another fact is that MS is integrating membership/roles into
a couple of products (WCF, IIS7, Sharepoint) - and if you plan to use them
in the future - you can easily integrate your auth logic...

I would say if you have a working implementation already think about two
things

a) just use what you have (and works)
b) write a thin wrapper around some of your existing functionality using
membership/roles - just enough to enable RAD tools and reuse...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

[quoted text, click to view]