Membership and Roles - An Overview

As .net developers we are familiar writing code to accept user’s name and password, the code to verify passwords, and the code to create and manage users. Thanks to ASP.NET 2.0, web developers will no longer need to write and re-write the code to store and validate credentials. Instead, you have membership and role provider implementations for managing roles and membership in our web applications.
The membership and role providers exist to provide authentication and authorization services to our applications. ASP.NET 2.0 provides login controls we can drop on web forms to perform authentication with no code required. The controls talk directly to the membership provider. ASP.NET 2.0 also offers controls to support the ongoing maintenance of users, including changing passwords and resetting passwords. The role providers in 2.0 allow us to create roles, and map users into the roles. Of course, your application might have special needs. Perhaps your database is not Microsoft SQL Server. Fortunately, Microsoft implemented both membership and role management using an extensible provider model.
The provider model in ASP.NET 2.0 helps developers to plug their own implementation of a feature into the runtime. The provider model in ASP.NET 2.0 includes an infrastructure for the configuration and initialization of providers.
The provider model begins with the abstract class ProviderBase. ProviderBase exists to enforce the contract that all providers need public Name and Description properties, as well as a public Initialize method. Inheriting from ProviderBase are the MembershipProvider and RoleProvider abstract classes. These classes add additional properties and methods to define the interface for their specific areas of functionality.
The beauty of the provider model is this: higher-level application services can build upon a provider and not need to know the details of what happens behind the interface.
Now, let's take the membership controls, which include a Login control, a CreateUser control, a LoginStatus control, and more. All of these controls program against the MembershipProvider contract. At some point, the login control will need to invoke the ValidateUser method on the configured provider. The login control doesn’t care if the call travels to a SQL Server database or an XML file. All the login control cares about is passing in a username and a password and receiving a true or false value in return.