This item is really a range of different issues, gotchas and good practices. To begin with you probably want to use an out of the box authentication provider rather than trying to create your own. As part of this implementation hopefully your passwords are stored safely i.e. encrypted and salted. Account management such as account creation, change passwords, recover passwords, providing a logout page needs to be carefully written and reviewed. I will maybe try and get an article about this set up.
Once you have an authentication scheme set up,you then want to make sure
- timeouts are set correctly, this depends how exactly your site works but often this is set in the web.config as <system.web><sessionState timeout=”20″>.
- when a user performs an action the user and role are validated i.e. check is the user login and do they have permission to perform the action – Direct Object Reference within an MVC controller
- session cookies have HttpOnly set – Mark Cookies as HTTP Only
- session cookies have the secure flag set – RequireSSL – Marking Cookies As Secure
- CSRF tokens are set CRSF – Cross Site Request Forgery and Ajax posts CRSF – AntiForgeryToken and AJAX
- Sessions are not displayed in a URL. If your urls do have cookies appearing in them, then set in your web.config <sessionState cookieLess = “true”/> . The risk with sessions displayed in a url is that someone shares the url and in the process leaks their session.