quote:Originally posted by musa
Good point. This might defeat the purpose in high traffic application. Ideally those roles should be saved to the cookie as string with Pipe as separator. "User | Admin | Guest" rather than storing them in runtime array.
Doing this opens a huge security hole. If you put authentication or authorization info in a cookie, and it gets sent to the client, then the client can modify the cookie contents, granting himself Admin privileges.
Your code must never trust data that passes out of its control, which cookies do. Store sensitive information in session variables!