PlainTextMembershipProvider

The Plain Text Membership Provider is very simple provider for low-security scenarios. stores limited amout of user information (user name, e-mail and plaintext password) in simple text file. This membership provider was created for cases when there is no administration interface and the user database should be maintained by hand by unskilled user. For example for photo gallery, where certain section is intended only for friends.

Storing plain text password is security risk. On the other hand, we can't require common users to perform hashes if the goal is to make the database editable by hand.

The data file structure

The data file is by default named ~/App_Data/users.txt. Placement in the App_Data folder ensures that its contents is protected from simple HTTP query.

The file contains one line for each user, where the user name, e-mail address and password are stored in TAB-separated format:

user1	user1@example.com	user1password
user2	user2@example.com	user2password

Configuration

Sample web.config file for utilizing PlainTextMembershipProvider:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <compilation debug="true" />
        <authentication mode="Forms">
            <forms defaultUrl="~/Auth/Default.aspx" loginUrl="~/Default.aspx" />
        </authentication>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.PlainTextMembershipProvider, Altairis.Web.Security"
                     dataFilePath="~/App_Data/users.txt" 
                     ignoreInvalidLines="true"
                     cacheExpirationTime="60" />
            </providers>
        </membership>
    </system.web>
</configuration>

Provider configuration attributes

  • dataFilePath - virtual path to data file; default is ~/App_Data/users.txt.
  • ignoreInvalidLines - if set to true (default), invalid lines in the above file are ignored (and deleted in next modification); if set to false, provider throws exception on invalid line.
  • cacheExpirationTime - number of minutes to keep user table in memory, by default 60; the cache is cleared when data file is modified or cacheExpirationTime minutes after last request. Generally, you wouldn't modify that value, because it may only help to release the memory faster and the provider is not likely to consume much memory. If you have lots of users, you would probably use more complex storage than plain text file.

Last edited Oct 30, 2008 at 1:58 PM by altair, version 1

Comments

No comments yet.