0

My roleManager in web.confi looks like this. 

<roleManager enabled="true" 

    cacheRolesInCookie="true" 
    cookieName=".ASPR0LE3S" 
    cookieTimeout="115" 
    cookieSlidingExpiration="true" 
    cookieProtection="All" 
    createPersistentCookie="false" 
    defaultProvider="CustomizedRoleProvider">               

    <providers>                 
    <add name="CustomizedRoleProvider" 
    type="System.Web.Security.SqlRoleProvider" 
    connectionStringName="MyConn" 
    applicationName="/MyApp"/>              
    </providers>

</roleManager>

What I am tring to do is store my Roles in Cookie. The code is suppose to store it but when I view cookies in FireFox there is no such cookie by the name ASPR... What could be the problem? Am I missing something.

TheTechGuy
  • 16,560
  • 16
  • 115
  • 136
  • to view them you must first to logon. Do you logon ? – Aristos Feb 09 '12 at 19:10
  • I was logged on and I couldn't see it. But even if I am not logged on, I still should be able to see it. My guess is, it is never created. Could it be because I have too many roles and it exceeds the size limit? I thouldn't be because of it – TheTechGuy Feb 09 '12 at 19:12
  • yes if you use too many roles for the user can possible avoid, because the cookie have limits and browser can not save it, or even crash. Also you delay too much the page and also is not secure. – Aristos Feb 09 '12 at 19:19

3 Answers3

0

If you are on .NET 4.5 it wont work, will have to save it yourself. See sample code here.

Community
  • 1
  • 1
Joao Leme
  • 9,598
  • 3
  • 33
  • 47
0

From the docs:

When the CacheRolesInCookie property is set to true in the Web.config file, role information for each user is stored in a cookie. When role management checks to see whether a user is in a particular role, the roles cookie is checked before the role provider is called to check the list of roles at the data source. The cookie is dynamically updated to cache the most recently validated role names.

The roles won't be stored in the cookie until the first time you attempt to check a role. It seems likely that you're simply logging on and checking for the cookie, without having performed any action that would cause the role provider to look up the user's roles at the data source.

Chris
  • 27,596
  • 25
  • 124
  • 225
  • `cookie until the first time you attempt to check a role` what that exactly mean? Isn't it similar to logging in? By the way I did see the cookie later but the fact that my application is slow, it mean it most likely does not check cookie at all. – TheTechGuy Feb 10 '12 at 11:52
-1

First of all to cache the roles on the cookie is not so safe because some one can potential steal/manipulate that information's and use them to change roles. Here is a question about this:

Can some hacker steal the cookie from a user and login with that name on a web site?

Second when you store information's on cookies then this information's go back and forth on every call to your site and add extra overhead.

If your roles are too many the browser may not be able to save them, or other cookie maybe not be able to save. In some cases I have see strange behavior from the browser, such as crash, or white pages because of this cookie reach limit think

Try to set the minimum possible cookie information's.

Some more informations about cookie limits:
http://www.nczonline.net/blog/2008/05/17/browser-cookie-restrictions/
What are the current cookie limits in modern browsers?

The roles on the cookie will be able to view them encrypted, after the use have been logged in.

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • I don't know how the ASP.NET role providers work when storing roles in a separate cookie, but the age old recommendation to not store such information in cookies is too generic. There are so many ways a cookie can be protected from man-in-the-middle and hijacking techniques that it's not necessarily a bad idea, given the proper security precautions. – Chris Feb 10 '12 at 06:22
  • @Chris Ok I accept your argument - the issue here is that if you make good safe encryption you get too big cookie - that maybe browser reject it and the big overhead. So if you get the one you lose the other. – Aristos Feb 10 '12 at 06:26
  • At least for now my application is local (on our network) so security is less of an issue + overhead. I have about 10 roles. – TheTechGuy Feb 10 '12 at 11:51
  • @Thecrocodilehunter You do not gain that much from this cache, just one more database lookup. – Aristos Feb 10 '12 at 12:45
  • @Aristos I thought this really going to speed up my PC since it will lookup the role in Cookies first if it does not find, then it will do a database hit, reducing the time considerably. – TheTechGuy Feb 10 '12 at 13:29