As are result of security penetration test the following changes applied:

All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented

Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true

WebsitePanel/Sources/WebsitePanel.WebPortal/Default.aspx

@@ -13,7 +13,7 @@
 <![endif]--> 
 </head>
 <body>
-    <form id="form1" runat="server">
+    <form id="form1" runat="server"  autocomplete="off">
         <asp:PlaceHolder ID="skinPlaceHolder" runat="server"></asp:PlaceHolder>
     </form>
 </body>