What is role-based security, and why should I use it?
What it is...
Role-based security allows you to partition your web site according to the
"role" of the user. That means that once a user is logged-in, the determination
as to whether or not access to a resource is granted is based on the roles a
user plays--such as "administrator", or "premium subscriber", or "guest", for
Why you should use it...
It is much more flexible and powerful than simply using
basic authentication, whereby any user that can "log in" has access to your
entire site -- unless you specify users in a config file, which can be very
tedious and not very maintainable. Using roles, changing the config file for
the purpose of changing security settings occurs less often.
What's wrong with the intrinsic support for this in the .NET framework?
The basics for role-based security can be found in the .NET
framework. However, implementing it in your ASP.NET application can be somewhat
Because of the stateless nature of web applications, you are
required to set the roles for the user upon each and every request to your web
site. Not just once--like when the user first logs in. Given this requirement,
you have three primary options:
Rebuild the roles for each request by querying a
database--obviously not very efficient
Use FormsAuthenticationTicket and store the roles in a cookie
Store the roles in a cache on the server, reducing both bandwidth
use and security risks
In most cases, the last option is the best choice. And the
module provided on this site eliminates the hassles of implementing
this style of role-based security.