MSDN: [[http://msdn2.microsoft.com/en-us/library/system.security.principal.iprincipal.aspx:System.Security.IPrincipal]] IPrincipal appears to be the preferred method for authorization; see [[http://msdn2.microsoft.com/en-us/library/aa302401.aspx:Implement IPrincipal in ASP.NET 1.1]] from Microsoft. The code in this article serializes role information to the authentication ticket; it is unclear as to whether this is desirable. From [[http://aspnet.4guysfromrolla.com/articles/082703-1.2.aspx:4 Guys from Rolla]]: _A Principal contains information about the identity and role(s) that the current user is associated with. It is through the Principal that you are able to check the role membership of the current user. In many ways a Principal is the glue that binds identities, roles, and the various other pieces of information that fully describe that Principal to the application._ *Questions:* - When does ASP.NET assign HttpContext.User with an object implemented IPrincipal? Is the MembershipProvider responsible for this assignment?
some permissive license goes here