Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 23, 2012 04:24 PM by tarnbridge
Nov 08, 2010 03:36 PM|LINK
Our websites are configured to use forms-based security and roles. We have enabled cacheRolesInCookie=true in the web.config.
<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".XXX_ASPXROLES" >
This worked fine, until recently (not sure when it stopped). Now, instead of seeing a .XXX_ASXPROLES cookie being created, I see the opposite:
Set-Cookie: .AdminPortalASPXROLES=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
This header is being returned in every page response.
Any idea what could be causing this? Could it have something to do with the recent ASP.NET Security Patch (http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx)?
asp asp.net login cookies
asp .NET role provider
asp .net security
Nov 23, 2012 04:24 PM|LINK
I'm a bit late on replying on this, but just spent the afternoon looking into this.
Basically what it looks like is happening is when the RoleManagerModule (HttpModule) is trying to generate the cookie contents it calls
This ticket is exceeding 4096 bytes (max length of the cookie) and then proceeding to call
In my system I have very few roles. I suspect it's simply serializing the entire RolePrincipal instance.
Not sure at this point what the work around is but perhaps a custom RoleManagerModule or a custom role provider.
Hope this is of some help.