In addition to being able to authenticate individual users and store Profile data for them, you probably need to understand what roles they are authorized for in the application. To simplify the process of checking application rights, ASP.NET provides the Membership and Roles feature. This allows you to configure groups for a Web application that map to business roles the way that you can in the operating system itself.
Like the other application services, Role Management must be enabled. Instead of checking against the server back-end storage on each request, role management information can be cached in a browser cookie. The roleManager element of the web.config file lets you specify how much data to cache in the cookie and how long it is cached. You can also configure the service to encrypt the data, calculate a hash value to guard against tampering, or do both:
<roleManager enabled="true" cacheRolesInCookie="true" cookieSlidingExpiration="true" cookieProtection="All" />
The options for the cookieProtection attribute of the roleManager element are All, Encryption, None, and Validation. I recommend against None as it equates to sharing with prying eyes any roles you have defined and lets a malicious user submit request with synthetic role values.
You can create the roles using code or via the .NET Role Manager element of the IIS 7 Administration tool. Figure 8-7 shows the addition of a new Sellers role to the Sample ...