Add the element ExcludedRolesToLogin tp the SiteSettings.config and specify
comma separate which roles are not allowed to login to the panel. e.g.:
<ExcludedRolesToLogin>Administrator,Reseller</ExcludedRolesToLogin>
By doing this you can eliminate the attack surface by publishing the portal
twice. One for the organization administrators and an internal one for the
adminsitrators and reseller admins
All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented
Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true
