I would like to know How to generate the same nonce/secret key whatever in C# for asp.net application?
Read up on HTTP Digest Authentication. It's described pretty well there.
http://en.wikipedia.org/wiki/Digest_access_authentication
Also doesn't this affect the performance of the application like 100 thousand users use it and each time the method has to go through encryption, random number generation etc..?
Hardly. Remember: the connection to the user's desktop is the bottleneck. Checking a nonce is generally trivial, since it's a simple hex digest of data already available.
Is there any way I can check if posted data is what was actually posted. Checking the integrity of posted data?
Read up on Cross Site Request Forgery (CSRF).
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Do you need to follow design patterns to secure application logic?
Yes.
Does one exist to make your application at the least somewhat secure?
Not "One".
Lots and lots.
There is no "somewhat" secure. There's secure and there's broken.
Start with the OWASP top-ten list and read up on the vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Then, find a framework that does this for you and use the framework.
Don't build your own. It's already been done for you. Just pick a framework that does it.
Why security is binary. "perfect security" is an oxymoron -- it only exists where there is no information exchanged.
"Security" doesn't mean "perfect". It means "as good as present technology permits under the circumstances that we've agreed to share information, and I have to assume you're not lying."
If you want "somewhat secure", then you are implementing "somewhat insecure".
If you're going to implement somewhat insecure, you must actually choose the specific kind of insecurity you are going to implement. Generally, you will must either give private information away, allow information to be adulterated or allow a denial of service attack. Pick some combination of things you are going to implement in a "somewhat secure" application.
Try to avoid choosing the "give away the root password" insecurity if you can. Usually, that is isomorphic to "as secure as possible".
Why do you want to add the owner (which more seems like an attribute of a group) into the url? It can make sense but I don't see an argument for it. /api/groups/{groupId}/members seems to make more sense? Then you can add another path: /api/users/1/groups and /api/users/1/groupsOwned where you show a collection of links to the normal groups urls.
Because I need to pass the ID for the user that is modifying the group. If the user is the owner, he can add more members to the group.
In general that sounds as security and should be fixed by headers (like basic Auth, OAuth etcetera). It does not change which resource you show. Even better: When the owner of a group changes all urls would be invalid which is not restful. So I would suggest to leave them away and make it an attribute.
Interesting to read when you try to work restful is the concept the author of it has: Roy Fielding is the inventor of the REST concept and you can find some basics about the real concept here:
http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven
Best Answer
A .Net handler can't be used with ASP because IIS can only hand the request off to one handler for each request. ASP and .Net have distinct handlers.
If you wanted to write a .Net HTTPModule to act as a Man in the Middle, the handler for the request would need to be .Net.
I've not tried it, but I reckon if you then wrote a .Net HTTPHandler to service the ASP page (which basically just runs the ASP as a VBScript), you'd have complications with the Request and Response objects. Probably more effort than its worth even trying.
An ISAPI Filter would be the most straight-forward way to go but may not be practical if you don't have the C++ experience. But what you're doing doesn't sound like particularly new ground and there may be an existing implementation you can use.