.Net Interview Questions, Resources, Tips & Tricks.

• As HTTP is a state less protocol and we need to maintain the information to authenticate the users. Below are the precaution the we need to follow
• We can use one of the below suggested methods for authentication
• Forms Authentication
• Windows Authentication
• Passport
• Change Password Controls
• Always we need to ask for old password and new password.
• If we are sending reset password links to users email we need to re-authenticate the user when he tries to change his email address.
• All passwords should be stored in database in encrypted format. Use System.Security.Cryptography in .NET

Source: http://msdn.microsoft.com/en-us/library/aa302378.aspx

• Protection during transmit:
• In order to protect the passwords or transaction session Ids it is suggested to use SSL. Try to use SSL for all login pages so that credentials will be protected.
• SessionIds should not be transferred in querystrings.
• Session Ids should be long and complex to decode.
• Session Id can be formed by encrypting it along with IP Address, so that we can check for the IP Address and compare it in server side.
• Session IDs must be changed when switching to SSL, authenticating, or other major transitions. Session IDs chosen by a user should never be accepted.
• We need to make sure that session is timed out when user clicks on logout button.
• Application timeout should be set properly so that sessions are abandoned when user closes the browser instead of clicking on logout.