Good article apart from one thing - avoid the hell out of session state. This becomes the dumping ground for all sorts of crap and will slowly knacker your app. You should only persist enough information to identify the user between requests and keep the rest stateless. We do that using encrypted cookies containing the user id, display name and correlation id.
I've just spent 6 months entirely removing session state from an asp.net app and the performance gain is amazing.
I've just spent 6 months entirely removing session state from an asp.net app and the performance gain is amazing.