Anyone got any ideas

One solution is to create a base page , so that all pages inherits from ,

then in the base page load function , you can check the Current user Principal type , if its not like your custom principal type,  you set it to your custom principal,

      If Context.User.Identity.IsAuthenticated Then
        ' check to see if the current principal is not like your principal type
        If Not (TypeOf context.User Is YourPrincipal) Then

          Dim newUser As New YourPrincipal(.....
          Context.User = newUser

        End If

      End If

Another solution is to check that in Application_AuthenticateRequest ( from global application class , or custom HttpModule) 

In terms of storing the information between postbacks though (i.e. the roles that the user has) i dont see how this helps.

At the moment i am storing it in the session and setting it. Are you surgesting that i should regather this data every time the Application_AuthenticateRequest runs (as this is where I would put it)?

Hi

I've written a example about how to serialize and store information in FormsauthenticationTicket.UserData in this thread for your reference.

http://forums.asp.net/p/1253732/2324459.aspx 

If the above answer hasn't answered your question, please provide more info. Thanks

Thanks for the information this is great.

Just one question though. Now that I think about it how advisable is it to store the role information on the client. I know its encrypted and everything but something makes me think twice about this.

Any thoughts???

Cheers
Anthony

Hi

MachineKey is a secure, cryptographically random key for user to encrypt and decrypt data that want to keep secret, it's strong enough to a public website. However, if you want some additional protection, Secure Sockets Layer (SSL) will be a better choice.

Thanks for this 
Do you or any one you know use this method in a public facing business app?

In your opinion how great do you thing the risk is and at what point would you witch to not storing it on the client?

Cheers
Anthony

vdh_ant:

Do you or any one you know use this method in a public facing business app?

As far as I know, there are more and more website using the ASP.NET 2.0 technique, such as

http://www.getvitalized.com/login.aspx

vdh_ant:

In your opinion how great do you thing the risk is and at what point would you witch to not storing it on the client?

It's a theoretical possibility, So I suppose it will be strong enough to a public website. We have to store cookie in client and send to server for each request since HTTP is a disconnected, stateless protocol.

Cheers