There are a few authentication types:
http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx
I strongly suggest you read the above article.
The above link lists the following:
ASP.NET, in conjunction with Microsoft Internet Information Services (IIS), can authenticate user credentials such as names and passwords using any of the following authentication methods:
Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
Microsoft Passport authentication
Forms authentication
Client Certificate authentication
Windows authentication is used to look up your user against a user directory.
http://msdn.microsoft.com/en-us/library/ff647405.aspx[
^]
Microsoft Passport Authentication is just that, using what until recently was your windows live login.
http://msdn.microsoft.com/en-us/library/b0ctef6w(v=vs.85).aspx[
^]
Forms authentication is probably the most used commercially. It uses cookie/state management to know when you've authenticated. Normally you provide the login screen, you perform the authentication check and then write the forms authentication cookie. This along with your web config file is used to marshal access to the rest of your site.
http://msdn.microsoft.com/en-us/library/ff647070.aspx[
^]
Client Certificate. I've never used this method. But as it says, it uses certificates to identify the user.
http://support.microsoft.com/kb/315588[
^]
You can also use a custom security mechanism. You can write a value to the session or a database when the user authenticates and then check this on each page load. You can include the check in a base page/master page.
SQL Injection
You should make sure you avoid leaving holes for SQL injection. The following should explain how to achieve this:
http://msdn.microsoft.com/en-us/library/ff648339.aspx[
^]
Other Injections
On a simliar note, if you're worried about web security, script injection is also something to be aware of. Otherwise known as injection attacks.
http://msdn.microsoft.com/en-us/library/ff647397.aspx[
^]
Wider Website Security Practices
There are many websites/standards/processes/documents which cover the requirements for delivering secure websites. Two which come to mind are OWASP and PCIDSS.
OWASP (Open Web Application Security Project)
https://www.owasp.org/index.php/Main_Page[
^]
PCIDSS (Payment Card Industry Data Security Standard)
[
^]
You can also subscribe to an ethical hacking service which will try and find the holes in your website and report them to you. One such service which provides both scheduled and on demand testing is McAfee Secure.
http://www.mcafeesecure.com/us/[
^]
Submit an article or tip