URL authorization rules can specify roles instead of users.
The Login View control, which renders different output for authenticated and anonymous users, can be configured to display different content based on the logged in user's roles.
And the Roles API includes methods for determining the logged in user's roles.
This tutorial starts with a look at how the Roles framework associates a user's roles with his security context. NET pipeline it is associated with a security context, which includes information identifying the requestor.
If the Roles framework is configured to cache the user's roles in a cookie, the class to determine the user's roles. Figure 2: The User's Role Information Can Be Stored in a Cookie to Improve Performance (Click to view full-size image) By default, the role cache cookie mechanism is disabled.
It can be enabled through the Note The configuration settings listed in Table 1 specify the properties of the resulting role cache cookie.
For more information on cookies, how they work, and their various properties, read this Cookies tutorial. The path attribute enables a developer to limit the scope of a cookie to a particular directory hierarchy.
A more maintainable approach is to use role-based authorization.
The good news is that the tools at our disposal for applying authorization rules work equally well with roles as they do for user accounts.