If you are using form based authentication, here is a great stack overflow post that provides some guidelines on how to implement form based authentication properly: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication
