Skip to content

MembershipReboot v5 released

December 20, 2013

After many hours of work, I’m happy to say that I’ve released MembershipReboot v5. This release has some main points:

  • Some minor vulnerabilities from v4 were fixed (and thus the implementation is more resilient to attacks)
  • The repository and entity design was reworked significantly to allow an easier time with:
    • defining custom entity properties/columns
    • using a non-GUID primary key
    • allowing for all the entity classes to be custom classes
    • allowing for use of non-ORM backing store
  • Better designed OWIN/Katana support
  • There is now support for “password reset secrets”
  • Added migrations into the EF project to migrate from v4 to v5
  • A few other bug fixes here & there

Here’s the link to the release notes (tho they’re mainly just a wild list of changes). All the NuGets were updated to v5.

If you’re just getting started, then I’d suggest looking at the main sample.


31 Comments leave one →
  1. December 24, 2013 9:39 am

    Thanks for doing this, Brock!

  2. January 7, 2014 3:58 am

    Hello Bock, how can we assign roles ?

  3. January 8, 2014 3:38 am

    Another question, I am using Membership reboot with web forms, when I finish I will send you the work done maybe you can add it to the samples.

    I successfully initialized the AuthenticationSevices using SamAuthenticationServices, but I was not able to initialize with Owin authentication, either with using Nancy or without.

    Can you please help with this. How can I initialize AuthenticationSevices using Owing and without Nany?

    Thank you

  4. girts637aGirts permalink
    January 8, 2014 3:58 am

    Thanks for doing this and even more for releasing as open source!

    I’m evaluating your solution for one of our projects and there is one thing that doesn’t fit with out requirements – using the mobile phone number as username.

    The default username validator requires that the username contains at least one letter effectively disallowing the use of phone numbers.
    I could certainly work around this by inheriting the UserAccountService and overriding the ValidateUsername method but I’m wondering if there is a good reason behind requiring at least one letter (like guarding against brute force attacks)?

    In a future release may I suggest you think about making the validation even more flexible, i.e. allowing us to build our own ‘AggregateValidator’s.

    If this is already documented somewhere, please point me in the right direction. Thanks!

  5. Faisal permalink
    January 14, 2014 6:47 am

    Many thanks. Your work has helped me massively.

  6. tom permalink
    January 28, 2014 6:07 am

    I am new to identity management, but would like to know if it is possible to exposes the methods of MR as a Rest service so that I can use it from different applications. in fact I am writting a rest service that will be used by different plugin using the rest api, I will also have a web app that will connect and use this rest service.

    • January 28, 2014 9:25 am

      Sure, it’s possible. There’s nothing built-in for this, so you’d be building it yourself.

  7. January 28, 2014 7:36 pm

    Are there any plans to have MR end up inheriting / be built on top off and extend the new ASP.Net Identity introduced with MVC 5? Or is your idea to be a competitor of sorts with identity? I’ve been playing with MR and I’m pretty happy with it btw, nice work.

  8. Andre permalink
    February 21, 2014 7:59 am

    I implemented MR with EF6 und MVC. Everything works fine, but when I configure EF with this.Configuration.LazyLoadingEnabled = true; the app stops working. What can I do to enable LazyLoading?

  9. Connie DeCinko permalink
    April 3, 2014 4:03 pm

    We are needing to allow outside companies the ability to lookup users in our system and authorize them to login to their system. Sort of like how one would use Facebook to login to another web site. Do you have any samples or guidance for using MembershipReboot as a service over the web?

    • April 3, 2014 9:58 pm

      You should deploy a security token service — this issues tokens for your users. Thinktecture IdentityServer does this.

      • Connie DeCinko permalink
        April 4, 2014 11:14 am

        Sorry for the newbie questions but we’re upgrading from ancient methods of a web form calling an action page that runs a sql query. The Thinktecture IndentiyServer looks promising but does it work with or instead of MembershipReboot?

        • April 4, 2014 3:36 pm

          They serve different purposes. MembershipReboot is for managing a database where you have to store users’ passwords and identity data. IdentityServer is for centralizing your identity so your users can have single sign-on across multiple apps. IdentityServer can use MembershipReboot to store users’ identity data.

  10. Connie DeCinko permalink
    April 15, 2014 12:03 pm

    So just to clarify, I would pass my users to the login page if IS but use pages on MR to do management of the account (password reset, remind, etc.). I can’t use a login page on MR and still create a token. So, to be less confusing to my users, I’ll style the pages the same. Can they live in the same domain but just be different apps in different sub folders?

    • April 16, 2014 12:08 pm

      Your STS issues tokens for signing in. Where you do management of your users is up to you and depends on requirements. If you want self-service, then doing this in the STS can work, or you can create a new app to do this as well (which would share the DB with the STS).

      • Connie DeCinko permalink
        April 16, 2014 1:39 pm

        It’s still not clear to me how I can have my cake and eat it too. How do I integrate all the brute force, etc. protections for user login while issuing a security token for SSO? You’ve created a great product, but the documentation is very weak for those of us just entering this world. I would be very grateful for better documentation as this is now looking like more work than writing from scratch.

        • April 16, 2014 2:23 pm

          Sorry the docs are thin — I do this in my free time. I’d love some help if you’re offering :)

          As for the use of MR’s features in the STS — if the STS is using MR for validating credentials then you’ll get those protections because those checks are part of MR’s code features.

  11. Jorris permalink
    October 16, 2015 9:39 am

    Hi Brockallen, we are using your product as login mechanism for a new web site project.
    The web app will be hosted in the DMZ, one of the limitations of the environment is that we cannot connect to a database directly from DMZ, so we must expose an interface (WCF service) that will do all the reading and writing in the database. Does MR support this?
    Meaning, can we implement / override methods within MR that will call the WCF instead of having MR perform these operations in the database directly? Sorry for not reading the docs on this yet, have that planned after the current backlog (somewhere 2017? lol)
    Thanks for the reply.


  1. An Interesting List of Development Stuff (April 2014) | rionscode
  2. Autenticação e Autorização Customizada no ASP.NET/MVC | jpolvora @ wordpress
  3. An Interesting List of Development Stuff (April 2014) - Rion.IO

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: