SqlServer membership/role - Web.Config

[David Thielen]

4. Is this the correct & complete Web.Config for the SqlServer
membership/role provider:
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetSqlMembershipProvider"/>

 

[Steven Cheng[MSFT]]

Hi Dave,

Thank you for posting.

As for the configure snippet you provided, it indicates that you're using
Forms Authentication and the MemberShip Provider is the default
Sqlmembership Provider. And the SqlMembershipProvider use all the default
setting as configured in the machine.config. You can find the default
setting for SqlMembershipProvider in your machine.config's <membership>
section. The default one is as below:

=========in machine.config======
<membership>
<providers>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true"
applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
==================

You can override or change some of the options in your application by
redefine it in the web.conifig. e.g.

=======in web.config==========
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider">
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

our custom options settings ................

/>
</providers>
</membership>
=======================

#membership Element (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

Should I change the provider setting? And if so to what (and why)?

Also, is the roleManager/authentication/membership settings I have correct?
It all works fine but I want to make sure I haven't left a security hole.

 

[Steven Cheng[MSFT]]

Thanks for your response Dave,

So far I don't think there is any security holes and all the setting you're
currently applying are the default setting. Why do you want to change it?
If is only when the default setting doesn't quite meet your requirement
will you need to customize it. As I've provide the example that redefine
the SQL Membership provider setting in application's web.config file, you
can customize some of the attributes of that provider if you want.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)