Best Practice for ASP.NET Security Authentication and Authorization

Oh, that's a huge topic, so I have listed some general points.

Form authentication gives you an authentication cookie separate from the session cookie, which is tamper-proof and can be encrypted. Its provider model means that this protection still exists even if you roll your membership provider, and these providers can be used to secure WCF web services and allow authentication and authorization with silverlight

Forms auth also creates an IIdentity / IPrincipal object on the executing thread, which means you can use the CAS PrincipalPermission requirements to secure methods, classes, and even assemblies that might be decoupled from your ASP.NET application, which makes cross-communication permissive a must.

The auth forms are also used by the IIS7 file protection mechanisms and therefore can be used with IIS7 to protect any file type, not just those associated with the ASP.NET ISAPI DLL (you can, in IIS6, do wild mapping and put everything through the ASP.NET pipeline but it affects scalability)

Auth forms do not allow impersonation.

Rolling removes it all on its own. You can start building it with HTTP modules that will do the loading and validation of cookies, creating a principal on the thread and validating resource access. You still need to write database bits, controls if you need them, your own classes, and inject them.

And you will need to fix everything.

There are many advantages to the standard way of doing it, and it has been hammered, tested and used and abused by many people, the biggest adversary for your own - you are probably not as smart as you. I think you are ... I am. I know I won't.