How Membership Works

To use membership, you must first configure it for your site. In outline, you follow these steps:

1. Specify membership options as part of your Web site configuration. By default, membership is enabled. You can also specify what membership provider you want to use. (In practical terms, this means that you are specifying what type of database you want to keep membership information in.) The default provider uses a Microsoft SQL Server database. You can also choose to use Active Directory to store membership information, or you can specify a custom provider (NetPass Membership Provider). For information on membership configuration options that can be specified in the Web.config file for your ASP.NET application, see Configuring NetPass.
   

2. Configure your application to use Forms authentication (as distinct from Windows or Passport authentication). You typically specify that some pages or folders in your application are protected and are accessible only to authenticated users.
   

3. Define user accounts for membership. You can do this in a variety of ways. You can use the Web Site Administration Tool, which provides a wizard-like interface for creating new users. Alternatively, you can create a "new user" ASP.NET Web page where you collect a user name and password (and optionally an e-mail address), and then use a membership function named CreateUser to create a new user in the membership system.
   

You can now use membership to authenticate users in your application. Most often, you will provide a login form, which might be a separate page or a special area on your home page. You can create the login form by hand using ASP.NET TextBox controls, or you can use ASP.NET login controls. Because you have configured the application to use Forms authentication, ASP.NET will automatically display the login page if an unauthenticated user requests a protected page.

Note: The ASP.NET login controls (Login, LoginView, LoginStatus, LoginName, and PasswordRecovery) encapsulate virtually all of the logic required to prompt users for credentials and validate the credentials in the membership system.

If you use login controls, they will automatically use the membership system to validate a user. If you have created a login form by hand, you can prompt the user for a user name and password and then call the ValidateUser method to perform the validation. After the user is validated, information about the user can be persisted (for example, with an encrypted cookie if the user's browser accepts cookies) using Forms Authentication. The login controls perform this task automatically. If you have created a login form by hand, you can call methods of the FormsAuthentication class to create the cookie and write it to the user's computer. If a user has forgotten his or her password, the login page can call membership functions that help the user remember the password or create a new one.

Each time the user requests another protected page, ASP.NET Forms authentication checks whether the user is authenticated and then either allows the user to view the page or redirects the user to the login page. By default, the authentication cookie remains valid for the user's session.

After a user has been authenticated, the membership system makes available an object that contains information about the current user. For example, you can get properties of the membership user object to determine the user's name and e-mail address, when the user last logged into your application, and so on.