c# - How secure is this ASP.Net authentication model? -

I have created a web authentication app using C #and; Want to bounce asp.net and how safe you think it is. All navigation is done by https.

User Registration

1. The user enters into 3 datapoint (SSN, Line and Dob). If this combination is found in our system, then a session variable is set and navigates to the next page.
2. If the session variable has been set for # 1, then proceed and ask the user name, PWD, security, Q & A etc. Use Linq to save data and validate the first session variable before saving. PWD and Security Response has been done using salt and sh (use verification control and textbox limitations to limit input)

Reset password

1. The registration is similar to # 1 but contains the username If OK, set step 1 session variable.
2. If step 1 session variable has been set, ask security question 3x. Verify for salt / hash and database salt / hash If the match occurs, then set the step 2 session variable. (Use the verification control and textbox limit to limit the input)
3. Check the step 2 session variable for new PWD

log These (use verification controls and textbox limitations to limit input)

1. Collect username and password. The hash / salt password that matches the username and see if the password hash matches. If ok, instateate user objects and pass on default page.
2. All the pages masterpage from masterpage is the code to verify that the user object is set for a valid instance or not. If a legitimate user is not an object, then logoff is called a redirect on the main login page.

The type of speaking, but wanted to be clear

Am I missing something here? I wanted to use MS forms, but decided to do my own role because I was getting some custom items, which I wanted to use the FBA. Using session variables as session completion marker, does it adequately prevent session theft or bookmarking? Is there a better way to do this?

Please consider?

Whether the use of ASP.NET form authentication or subscription provider bits does not meet your needs is? I have found both to be very flexible in many different scenarios?

Your rolling is usually going to make life harder in the future, especially when you have to start making changes, besides using a master page to verify your user's logon status etc. But when you need more master pages, you need to repeat the same type of code in every masterpiece and keep it all consistent. She could then become a maintenance nightmare somewhere under the road.

If you are not using a baked certification tool in the framework, then you should get rid of these types of things in the HTT module.

I think you should take a look at what you are doing. If you need to lock user-specific data / objects of a user object, take a look at applying your own custom IIdentity items. Then specify a custom head of the IPR You can attach to context.User in ASP.NET.

@ asp316 and @jake (comment) I would advise to hold these two books:

By Stephen Skaka

You would be surprised that the NAT built-in security How flexible the framework is in fact. Your web In the config, a & lt; Authentication mode = "form" & gt; add settings and and lt; Adding asp: login runat = "server" / slapping is too much. & Gt; Control a page.