If you are unable to or simply plain aren't likely to use SSL then you definitely should:
- 't be transmitting sensitive information.
- Using SSL doesn't build your website totally secure (guy-in-the-middle-attack).
If, however, you'll still insist upon trying to secure your site without SSL, or you simply need some general website security tips:
Don't pass information around while using query string. Should you insist upon while using query string, use AES file encryption having a per session key and initialization vector.
Don't populate html controls that store value/text pairs with plain text ID's. Such things as AccountID/AccountName. Rather Populate all of them with (AES Encoded ID)/AccountName. As well as for Pete's sake don't concatenate and display the ID and it is connected Title string.
Authenticate on each request. Quite simply, when the session continues to be valid then you ought to have a session variable to point when the user continues to be drenched in or otherwise. Otherwise, redirect or transfer towards the login page.
Create a mistake page that does not display a stack trace or other details about the website. It really includes a smiley face along with a friendly message onto it. Redirect all errors for this page.
HTMLEncode all fields before storing these questions database or re-exhibiting the data.
If page demands or login attempts happen too quickly, use captchas to ensure the user is human.
Separate the database server on the internet server (i.e. don't run them on a single machine).
Store a hash from the salted password and also the salt, rather than storing the plain text password.
Secure your database server (subject of some other discussion).
Secure your internet server (subject of some other discussion).
Validate user input (GET and Publish data) before using it. (Range check etc..)
Use parameterized queries rather than concatenating strings of SQL. This eliminates needing to correctly escape the SQL string for that database under consideration.
Any longer website security tips?
This really is already well covered on Stack Overflow.