I would like to know How to generate the same nonce/secret key whatever in C# for asp.net application?
Read up on HTTP Digest Authentication. It's described pretty well there.
http://en.wikipedia.org/wiki/Digest_access_authentication
Also doesn't this affect the performance of the application like 100 thousand users use it and each time the method has to go through encryption, random number generation etc..?
Hardly. Remember: the connection to the user's desktop is the bottleneck. Checking a nonce is generally trivial, since it's a simple hex digest of data already available.
Is there any way I can check if posted data is what was actually posted. Checking the integrity of posted data?
Read up on Cross Site Request Forgery (CSRF).
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Do you need to follow design patterns to secure application logic?
Yes.
Does one exist to make your application at the least somewhat secure?
Not "One".
Lots and lots.
There is no "somewhat" secure. There's secure and there's broken.
Start with the OWASP top-ten list and read up on the vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Then, find a framework that does this for you and use the framework.
Don't build your own. It's already been done for you. Just pick a framework that does it.
Why security is binary. "perfect security" is an oxymoron -- it only exists where there is no information exchanged.
"Security" doesn't mean "perfect". It means "as good as present technology permits under the circumstances that we've agreed to share information, and I have to assume you're not lying."
If you want "somewhat secure", then you are implementing "somewhat insecure".
If you're going to implement somewhat insecure, you must actually choose the specific kind of insecurity you are going to implement. Generally, you will must either give private information away, allow information to be adulterated or allow a denial of service attack. Pick some combination of things you are going to implement in a "somewhat secure" application.
Try to avoid choosing the "give away the root password" insecurity if you can. Usually, that is isomorphic to "as secure as possible".
Best Answer
It looks like you are interested in best practices to follow or just use in your case. There are a number of written article on this subject matter, however there are few good once that combine techniques in one as well :)
Regarding your questions, i would skip the one saying "Should I automatically repeat the Ajax request if it fails?" - No, just process the failure message in user friendly way.
More readings on best practices with Ajax calls: