I’ve created an web authentication app using c# & asp.net and want to bounce off how secure you think it is. All navigation is done by https.

User Registration

1. User enters 3 datapoints (SSN,Lname and DOB). If that combination is found in our system, a session variable is set and navigates to next page.
2. If session variable for #1 is set, proceed and ask for username, pwd, security q&A etc. Use Linq to save data and verify session variable before actual save event. PWD and security answer is hashed using salt and sha. (use validation controls and textbox limits to limit input)

Reset password

1. Same as #1 in registration but includes username. If ok, set step 1 session variable.
2. If step 1 session variable is set, ask security question up to 3x. Salt/hash and verify to database salt/hash. If match, set step 2 session variable.(use validation controls and textbox limits to limit input)
3. Check for step 2 session variable. Ask for new pwd. Hash/salt and save using LINQ.

Login (use validation controls and textbox limits to limit input)

1. Gather username and password. HASH/salt password that matches username and see if password matches hash. If okay, instatiate user objects and pass to default page.
2. All pages inherit from masterpage. Masterpage has code to verify if user objects are set to a valid instance. If not valid user object, logoff is called which redirects to main login page.

Kind of wordy but wanted to be clear.

Am I missing anything here? I wanted to use MS’s forms auth but decided to roll my own as I had some issues getting some of the custom stuff I wanted done using FBA. By using session variables as step completion markers, does that adequately prevent session stealing or bookmarking? Is there a better way to do this?

Thoughts please?