By default MVC creates a new web application that follows the following methods for logging a user on:
The master page contains a user control which if Request.IsAuthenticated, displays a logoff link, otherwise a login link.
The login view is rendered when the user clicks on the login link.
Upon filling out the details and clicking to submit the login page, the following actions happen:
1. We have a model containing a username, password, and 'remember me' being posted and passed to the LogOnMethod via this signature
public ActionResult LogOn(LogOnModel model, string returnUrl)
2. This model posts to the AccountController
3. The LogOn method validates the model: if (ModelState.IsValid)
4. The LogOn method checks the user against the profile provider: MembershipService.ValidateUser(model.UserName, model.Password)
5. The LogOn method then calls: FormsService.SignIn(model.UserName, model.RememberMe);
The same happens for 'Register'. If you do NOT want any user to be able to be registered, then REMOVE THE REGISTER METHOD or - add security to it such as a SystemAdministrators role:
public ActionResult Register(RegisterModel model)