This week I started reading Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow.  I can't recommend this book enough.  Stefan is a great guy as well.  I had opportunity to meet him on a couple different visits to Redmond.  I wish I had this book 2 years ago when I started looking at the Membership and Role API's in .NET 2.0.  (Yes, I was looking these things 2 years ago.  They were announced at the PDC in Oct. 2003).

Today I found a bonus nugget of goodness I had to share that is indirectly related to ASP.NET 2.0 security.  On Page 429 Stefan explains why all the SQL objects in the Microsoft SQL providers for .NET 2.0 explicitly reference DBO as the object owner.  (ex. dbo.aspnet_Memberhsip)  It turns out that SQL 2000 takes a performance hit if the object owners are not explicitly declared in stored procedures, views, etc.  The performance hit is significant enough that Microsoft did a QFE on ASP.NET 1.1 SQL Session state.  I had no idea and I figured many others also were clueless about the patch for Session State as well as the performance issue.

Check out Todd Carter's blog for some more details.  It also includes a link to the .NET 1.1 Session State fix.