Wow, where do i begin?

I'm typically a WinForms programmer, and recently we lost a few big clients because they want a thin client. So our boss says,
"drop everything, move to ASP.NET"

I will have ALOT of questions in the coming weeks, so I hope there are some guru's around here that can help.

Most of these for now are going to be architecture design questions, so forgive me about being sort of abstract.

Issue 1:
Authentification

For the most part, I will need to analyze the user that logged-in to the website (app), so I know what screens (links), and permissions they have to do certain things. It seems to me then, every page will need to know the user, and based on that, run to the SQL server, and grab the dynamic content based on that user. For instance, one user may be able to access a report screen, while another, not being a supervisor, will not get a link for a report screen at all.

So, I'm starting with a simple Login page. The user HAS to login to access any other part of the site (application). And those credentials can be used to query Sql (on each webpage's page_load) and determine what content they can see or acess. Also, these users can come from the Internet or an Intranet.

So, which authentification mode will allow this? I'm thinking Forms-based authentification. If I'm correct in the way I read the books, this model passes the user to each page. If the user navigates away from our website(app), or closes the browser, they will need to re-login. Although, if our client implements web-farms, I am unsure if this model will work.

Any ideas?

Issue 2
Dictionaries

In our app, dictionaries are items like US States in a drop-down box. All users will share the same dictionaries. Where do we place the data for these for the session? Currently, they all reside in a SQL database obviously, but it seems to make little sense to run to the database on each web page build to grab the dictionaries to populate the drop-downs. I imagine these should be built when the application is started by any user for the first time, but then, where do they reside?1. Great places to start:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT04.asp

2. Use the Cache to store that information in. What I do is create an object that I call for the lookup (dictionary) data. The object will check the cache for the datatable holding the lookup data. If the cache doesn't contain a datatable for the lookup data, it will go out to the db and get it. It will then stick it into the cache, then pass it back to the calling procedure. This allows me to set an expiration to the lookup data because it could change if an administrator adds more lookup data. What I do is expire it after 30 minutes so it is forced to go to the database every 30 minutes for the lookup data. The administrators know that if they make a change, it could take up to 30 minutes to actually go live on the site. They could force immediate change by restarting the web app through IIS though. I have found this to balance performance with up-to-date data.
Ok, thanks for the start!