Hi Hector,

Yes sufficient is probably the wrong word! I guess there are two fronts really, security of the server to prevent any would be hackers, and security of the application, ie a hacker trying to break in through the application with a password cracker or whatever.

>>1. Security - I have experimented with forms authentication and this seems to work well, but is this sufficiently secure for an application working over the internet?<
>
>I am not sure what you mean by "sufficient." Nevertheless, forms authentication works well for securing resources (web pages) owned by ASP.NET. Keep in mind that by default forms authentication will not protect resources not owned by ASP.NET (e.g. PDF files, XML files, JPGs)

To secure .PDFs and .JPGs then, there's some settings I should change?

>
>You should also try to protect login credentials with SSL and limit authentication cookies lifetime (do not create persistent authentication cookies.)

Right, I have heard about SSL and I am going to have to learn more about it and implement it.

Are you referring to the "timeout" setting in web.config when you say limit authentcation cookies?

>
>I don't know if there was (or will be) a DevDays 2004 event this year near to where you are. But the main focus of the web track in DevDays 2004 was security. You might want to find out.

Thanks will search up!

Chris