How to configure roles providers for Role-Based Authorization in ASP.NET

In the article How to use Roles API for Role-Based Authorization in ASP.NET is described a tag <roleManager> as a part of web.config The next table lists the properties you can configure, the roles provider, through the <roleManager> configuration tag:

 

Option

Description

enabledIndicates whether the roles API is enabled (true) or not (false).
defaultProvider

Optional attribute for specifying the currently active provider for storing role information. If you want to use a different provider, you have to configure it and set the defaultProvider attribute to the name of the provider you want to use.

cacheRolesInCookie

Instead of reading the roles every time from the back-end store, you can store roles in a cookie. This attribute indicates whether a cookie is used.

cookieName

If roles are cached in a cookie, you can specify a name for this cookie through this attribute.

cookiePath

Specifies the path of the cookie where roles are cached for your application. This allows you to specify the part of your application for which the cookie is valid. The default value is /.

cookieProtection

The roles cookie can be encrypted and signed. You specify the level of protection through this attribute. Valid values are All (encrypt and sign), Encryption, Validation, and None.

cookieRequireSSL

Specifies whether the cookie will be returned by ASP.NET only if SSL is enabled (true) or in any other case (false). If this attribute is set to true and SSL is not activated, the runtime simply doesn’t return the cookie, and therefore role checks always happen against the underlying roles provider.

cookieTimeout

Gets or sets a timeout for the roles cookie in minutes with a default of 30 minutes.

cookieSlidingExpiration

Specifies whether the cookie’s timeout will be extended with each request the user is performing against the ASP.NET application (true) or not (false). The default is true.

createPersistentCookie

If set to true, the cookie will be stored persistently on the client machine. Otherwise, the cookie is just a session cookie that will be deleted when the user is closing the browser.

domain

Specifies the valid domain for the role cookie.

maxCachedResults

Specifies the maximum number of role names persisted in the cookie.

 

In the same article is shown the configuration of the SqlRoleProvider. The next table lists a couple of additional settings you can configure through web.config:

 

Property

Description

name

Name of the provider. This name can be used in the defaultProvider attribute described in first table for specifying the provider by the application.

applicationNameName of the application for which the roles are managed.
descriptionShort, friendly description of the provider.
connectionStringName

Name of the connection string specified in the web.config file’s <connectionStrings> section that will be used for connecting to the backend roles store.