It then examines how to apply role-based URL authorization rules. When using forms authentication, an authentication ticket is used as an identity token.
Following that, we will look at using declarative and programmatic means for altering the data displayed and the functionality offered by an ASP. As we discussed in the class to determine the user's roles. Figure 2: The User's Role Information Can Be Stored in a Cookie to Improve Performance (Click to view full-size image) By default, the role cache cookie mechanism is disabled.
URL authorization rules can specify roles instead of users.
The Login View control, which renders different output for authenticated and anonymous users, can be configured to display different content based on the logged in user's roles.
The likelihood of this happening increases if the cookie is persisted on the user's browser.
For more information on this security recommendation, as well as other security concerns, refer to the Security Question List for ASP. parameter, as this parameter indicates that the user arrived at the login page after attempting to view a page he was not authorized to view.
This may entail showing or hiding data based on the user's role, or offering additional functionality to users that belong to a particular role.
A more maintainable approach is to use role-based authorization.
The good news is that the tools at our disposal for applying authorization rules work equally well with roles as they do for user accounts.
If the user's browser does not support cookies, or if their cookies are deleted or lost, somehow, it's no big deal – the Note Microsoft's Patterns & Practices group discourages using persistent role cache cookies.
Since possession of the role cache cookie is sufficient to prove role membership, if a hacker can somehow gain access to a valid user's cookie he can impersonate that user.
Anyone could visit this page, but only authenticated users could view the files' contents and only Tito could delete the files.