Best practices for protecting individual data in extranet app

[eriksenb]

I'm new to asp and sql and am hoping for some tips on best practices to protect an extranet user's individual data. I'll use MS SQL Server 7 or 2000 on the back end. I gather the best approach is write a login routine that would check a table of authorized users to ensure a match of usernames/pw's and then use a key field to filter the data (via a stored procedure)? I know I don't want other users to be able to bypass the filtering by merely replacing a relevant parameter in a returned URL (so I guess I need to use a "get" rather than a "post" method -- right?). I know I'll want to set up the server for SSL to protect pw's and other sensitive info in transit. What I want is a reasonably secure method of making sure one user can't get to another user's data to protect some personal info. If someone can give me an outline of best practices or point me somewhere for the same it would be a great help! Thanks.