In the article How to use Roles API for Role-Based Authorization in ASP.NET is described a tag <roleManager> as a part of web.config The next table lists the properties you can configure, the roles provider, through the <roleManager> configuration tag:




enabled Indicates whether the roles API is enabled (true) or not (false).

Optional attribute for specifying the currently active provider for storing role information. If you want to use a different provider, you have to configure it and set the defaultProvider attribute to the name of the provider you want to use.


Instead of reading the roles every time from the back-end store, you can store roles in a cookie. This attribute indicates whether a cookie is used.


If roles are cached in a cookie, you can specify a name for this cookie through this attribute.


Specifies the path of the cookie where roles are cached for your application. This allows you to specify the part of your application for which the cookie is valid. The default value is /.


The roles cookie can be encrypted and signed. You specify the level of protection through this attribute. Valid values are All (encrypt and sign), Encryption, Validation, and None.


Specifies whether the cookie will be returned by ASP.NET only if SSL is enabled (true) or in any other case (false). If this attribute is set to true and SSL is not activated, the runtime simply doesn’t return the cookie, and therefore role checks always happen against the underlying roles provider.


Gets or sets a timeout for the roles cookie in minutes with a default of 30 minutes.


Specifies whether the cookie’s timeout will be extended with each request the user is performing against the ASP.NET application (true) or not (false). The default is true.


If set to true, the cookie will be stored persistently on the client machine. Otherwise, the cookie is just a session cookie that will be deleted when the user is closing the browser.


Specifies the valid domain for the role cookie.


Specifies the maximum number of role names persisted in the cookie.


In the same article is shown the configuration of the SqlRoleProvider. The next table lists a couple of additional settings you can configure through web.config:





Name of the provider. This name can be used in the defaultProvider attribute described in first table for specifying the provider by the application.

applicationName Name of the application for which the roles are managed.
description Short, friendly description of the provider.

Name of the connection string specified in the web.config file’s <connectionStrings> section that will be used for connecting to the backend roles store.