As are result of security penetration test the following changes applied:

All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented

Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true

WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj

@@ -157,6 +157,7 @@
     <Compile Include="Code\ContentPane.cs" />
     <Compile Include="Code\Controls\DesktopContextValidator.cs" />
     <Compile Include="Code\PortalUtils.cs" />
+    <Compile Include="Code\SecureSessionModule.cs" />
     <Compile Include="Code\WebPortalControlBase.cs">
       <SubType>ASPXCodeBehind</SubType>
     </Compile>