These are still relevant: http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_formsauthentication
<http://msdn.microsoft.com/en-us/library/ff649487.aspx#pagguidelines0001_formsauthentication>Not sure if there has been an updated version of that document in the last 5 years :) Security is one of those things that's never perfect, you really need to do some threat modelling to decide what the issues will be, how much it will cost if they are exploited and how much it will cost to fix them. Definitely agree with SSL though. Without that it's like typing in your PIN at the ATM using a Kinect On Mon, Apr 4, 2011 at 2:58 PM, Arjang Assadi <[email protected]>wrote: > I have been asked to provide security assessment for Asp.net site > using WebForms Authentication with Default Asp.net Membership Provider > not using https? > > The website in question just provides some confidential information > and nothing financial, but yet still I would like to have at least a > security level matching what I would like for webbased email client ( > gmail. hotmail etc. ). > > I have assumed the first requirement is getting https certificate. > What else should I consider? Any links for security related issues for > Asp.net deployment? > > Regards > > Arjang >
