I've mostly ported my site to use asp.net security classes, but it leaves me with some questions.
1) The login-cookies are encrypted, but what if a user gets his own login to the site, and then steals a fellow user's session cookie. Then he could presumably get at all the data of that fellow user. Is the session cookie as safe as the login-cookie?
2) Suppose my login control has a "remember me" feature enabled. That means that whenever he accesses a protected page on the site, that page has to do the automatic validation (which is fine) but it also has to retrieve some additional info about the user. There are many protected pages on the site, and they share a master page. So I would think that I could go to the Page_Load event of the master page, and check if the additional info is present, and if not, load it. The problem is this, though. The Page_Load event of the master page only executes after the child page has been assembled, and after the child page events have fired. If I need to use some of the user additional info (like whether he has paid cash for the database info retrieval services offered by the page or not) before I assemble the child page, I'm out of luck. Is there a solution to this apart from putting extra code in the page-load event of every child page?