Vulnerability in EPiServer.Forms
I have a website which is going to have a section where the visitor has to log in to be able to use. I do not want to store these users in the EPiServer user-database but rather in another database (or preferably another application, for example a .net web api website). I may want to use facebook or some other mechanism for signing users up/loging on to the website. And I will want to save custom data for the user in some way (other than credentials..). Usage of the built in ways to check if authenticated in .NET would be nice (User.IsAuthenticated, Authorize-attributes..), and also being able to use roles and doing impersonation for a specific user when an administrator is logged in to EPiServer.
What is the prefered way of dealing with such things in EPiServer 9+ without messing around with the internal EPiServer user-database?
For the Admin/Edit UI i use the standard sqlserver membership provider so there is nothing special there.
Thanks in advance for any insight you might offer :)
Well, I guess you have two options.
1. The easy path is implementing a custom membership and roleprovider a la .NET 2.0. Nothing fancy there but gives you control over where to save your users etc.
2. Federated solution with SSO. This is a trickier path. You can check out
for a brief guide. If you don't really really need single sign on between the sites, I would go for the first option. It's easy to implement and to maintain. Number 2 is pretty easy to create a working prototype of but tricky to implement correctly without bug and when it starts to go wrong it can cost quite a few hours to find errors. I recommend to use heavy logging for both for maintainability.