Hi... Well i found out the exact sequence of the code. U can refer to the "Role Based Security in ASP.net " , (search for this artical heading in Google). In the FormsAuthenticationTicket object the Roles of the logged in user is saved and sent it as a cookie, whenever user logs in. Each time when user requests any page, these roles are fetched out and then checked against the authorised roles. (Refer the Application_AuthenticateRequest event in Globle.asax file) For more detail information plz refer "Role Based Security in ASP.net " Regards Yogesh