The Internet is a dangerous place! With great regularity, we hear about websites becoming unavailable due to denial of service attacks, or displaying modified (and often damaging) information on their homepages. In other high-profile cases, millions of passwords, email addresses, and credit card details have been leaked into the public domain, exposing website users to both personal embarrassment and financial risk.

The purpose of website security is to prevent these (or any) sorts of attacks. More formally, website security is the act/practice of protecting websites from unauthorized access, use, modification, destruction or disruption.

There  are many security Factors are :

Updated Software

It is mandatory to keep your software updated. It plays a vital role in keeping your website secure.

SQL Injection

It is an attempt by the hackers to manipulate your database. It is easy to insert rogue code into your query that can be used to manipulate your database such as change tables, get information or delete data.

Cross Site Scripting (XSS)

It allows the attackers to inject client-side script into web pages. Therefore, while creating a form It is good to endure that you check the data being submitted and encode or strip out any HTML.

Error Messages

You need to be careful about how much information to be given in the error messages. For example, if the user fails to log in the error message should not let the user know which field is incorrect: username or password.

Validation of Data

The validation should be performed on both server side and client side.


It is good to enforce password requirements such as of minimum of eight characters, including upper case, lower case and special character. It will help to protect user’s information in long run.

Upload files

The file uploaded by the user may contain a script that when executed on the server opens up your website.


It is good practice to use SSL protocol while passing personal information between website and web server or database.


WebSecurity Object Reference – Methods

Method Description
ChangePassword() Changes the password for a user
ConfirmAccount() Confirms an account using a confirmation token
CreateAccount() Creates a new user account
CreateUserAndAccount() Creates a new user account
GeneratePasswordResetToken() Generates a token that can be sent to a user by email
GetCreateDate() Gets the time the specified membership was created
GetPasswordChangeDate() Gets the date and time when the password was changed
GetUserId() Gets a user ID from a username
InitializeDatabaseConnection() Initializes the web security system (database)
IsConfirmed() Checks if a user is confirmed
IsCurrentUser() Checks if the current user matches a username
Login() Logs the user in by setting a token in the cookie
Logout() Logs the user out by removing the token cookie
RequireAuthenticatedUser() Exits the page if the user is not an authenticated user
RequireRoles() Exits the page if the user is not a part of the specified roles
RequireUser() Exits the page if the user is not the specified user
ResetPassword() Changes a user’s password using a token
UserExists() Checks if a given user exists

Initializing the WebSecurity Database

You must create or initialize a WebSecurity database before you can use the WebSecurity object in your code.

In the root of your web, create a page (or edit the page ) named _AppStart.cshtml.

Put the following code inside the file:



WebSecurity.InitializeDatabaseConnection(“Users”, “UserProfile”, “UserId”, “Email”, true);


The code above will run each time the web site (application) starts. It initializes the WebSecurity database.

“Users” is the name of the WebSecurity database (Users.sdf).

“UserProfile” is the name of the database table that contains the user profile information.

“UserId” is the name of the column that contains the user IDs (primary key).

“Email” is the name of the column that contains usernames.

The last parameter true is a boolean value indicating that the user profile and membership tables should be created automatically if they don’t exist, otherwise false.