What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking?
I'm not sure if this is a problem for the ASP.NET Membership bits per se, but don't forget to ensure that there is a secret generated on the server and authenticated on POST so you can be sure that the form post came from your app.
There may be other (better) ways to do this, I'm just sharing what I know
Omar AL Zabir blogged on some updates he made to the stored procedures that were needed for a high user site implementation. His suggestion is basically to use either
WITH (NOLOCK)
or
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
before the SELECT queries in the membership stored procedures.
Optimize asp net membership stored procedures for greater speed and scalability
In regard to best practices, there is a short WIKI called ASP.NET 2.0 Security Inspection Questions that lists security considerations when using a membership provider. It may be of some use?