What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking?
+1
A:
I'm not sure if this is a problem for the ASP.NET Membership bits per se, but don't forget to ensure that there is a secret generated on the server and authenticated on POST so you can be sure that the form post came from your app.
There may be other (better) ways to do this, I'm just sharing what I know
Crippledsmurf
2009-07-27 04:27:45
+1
A:
Omar AL Zabir blogged on some updates he made to the stored procedures that were needed for a high user site implementation. His suggestion is basically to use either
WITH (NOLOCK)
or
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
before the SELECT queries in the membership stored procedures.
Optimize asp net membership stored procedures for greater speed and scalability
Paul Rowland
2009-07-27 04:34:14
nice link, but that addresses performance/scalability moreso than security robustness
qntmfred
2009-07-27 04:43:13
true.. I was answering the 'best practices' part... On re-reading the question that may have been best practices for security rather than best practice in general... I guess no harm in leaving the answer anyway?
Paul Rowland
2009-07-27 05:07:44
+3
A:
In regard to best practices, there is a short WIKI called ASP.NET 2.0 Security Inspection Questions that lists security considerations when using a membership provider. It may be of some use?
Dan Diplo
2009-07-27 10:00:18