First, you have to decide exactly what it is you are trying to protect with your security measures. Of course, this step doesn’t involve writing any code, but we strongly recommend that you think about this as thoroughly as possible. You should spend some time just working through what type of security measures your applications need and how users will gain access.
Be sure you have answers to these questions:
Does the whole application need to be secured, or just a portion of it? For company intranets, you usually want to secure the whole application. For Internet sites available to the general public, you usually want to secure only certain sections (Members Only or Registered Users areas, for instance).
What granularity ...