NEVER create your own security code. This includes authentication / membership.
Writing your own authentication system is deceptively easy: Basic is functionally simple to write and test. However, the problem here is to design a process for security. Since itβs easy to do, itβs also very easy to build something that only seems to work β it passes all your tests, resolves the ones it is intended for, and prevents them from doing this, and so you deploy your system. Then comes the hacker and finds this small flaw in your design. After a year, you will finally know that you were defeated.
The thing about the membership API is that it is extensible. If there is no ready-made provider that does what you need, you can expand it without having to start from scratch, so this would really be an exception because you cannot use it.
This principle applies not only to ASP.Net, but also to any other platform where you might want to implement an authentication system. Whatever platform you have, always rely on the maximum possible number of security features that you have tested that you have verified.