I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions.
Namely I need to invoke a workflow and collect information from the end user (backup phone number, email address) after the user logs in using a custom form.
The only way I know to create a cookie-based session (without too much "innovation" on my part) is to use WIF.
- What other standard objects can I use with ASP.NET MVC to create an authenticated session that works with non-windows user stores?
Ideally I can store "role" or claim information in the session object such as "admin", "departmentXadmin", "normalUser", or "restrictedUser"
The workflow would look like this:
- User logs in with username and password
- If the username and pw are correct a (stateless) cookie based session is created
- The user gets redirected to a HTML form that allows them to enter their backup phone number (for SMS dual factor), or validate it if already set.
- The user can then change their password using the form provided
The "forgot password" would look like this
- User requests OTP code to be sent to the phone
- User logs in using username and OTP
- If the OTP is valid and not expired then create a cookie based session and redirect to a form that allows password reset
- Show password reset form, and process results.
Best Answer
First, check out the improved membership bits that were released with 4.5 -- it should be easier to implement custom options on top of than the old creaky structure.
In either case, you can do some very effective "let the membership providers handle the major authentication and use your own database to handle extensions." Even the old ones have a concept of account approval you can manage programmatically.
Another option would be to use ASP.NET's authentication bits but roll your own backing. You can start with this article to get some of the basics and add on parts from there.