If the user's browser does not support cookies, or if their cookies are deleted or lost, somehow, it's no big deal – the Microsoft's Patterns & Practices group discourages using persistent role cache cookies.Since possession of the role cache cookie is sufficient to prove role membership, if a hacker can somehow gain access to a valid user's cookie he can impersonate that user.Figure 4: Only Users in the Administrators Role Can View the Protected Pages (Click to view full-size image) Log off and then log in as a user that is in the Administrators role.
If you want the cookie to be passed to all subdomains you need to customize the exists is because many user agents do not permit cookies larger than 4,096 bytes.
So this cap is meant to reduce the likelihood of exceeding this size limitation.
In addition to URL authorization, we also looked at declarative and programmatic techniques for controlling the data displayed and the functionality offered by a page based on the user visiting.
In particular, we created a page that listed the contents of the current directory.
Rather than have to lookup the role information in the database on every request, the Roles framework includes an option to cache the user's roles in a cookie.
If the Roles framework is configured to cache the user's roles in a cookie, the class to determine the user's roles. Figure 2: The User's Role Information Can Be Stored in a Cookie to Improve Performance (Click to view full-size image) By default, the role cache cookie mechanism is disabled.Such fine grain role-based authorization rules can be implemented either declaratively or programmatically (or through some combination of the two).In the next section we will see how to implement declarative fine grain authorization via the Login View control.It can be enabled through the The configuration settings listed in Table 1 specify the properties of the resulting role cache cookie.For more information on cookies, how they work, and their various properties, read this Cookies tutorial. The path attribute enables a developer to limit the scope of a cookie to a particular directory hierarchy.The likelihood of this happening increases if the cookie is persisted on the user's browser.