Does MVC.NET handle Roles using cookies, or does a controller check with the Role Provider on each request? Consider this code:
[Authorize(Roles="CommentsModerator, SiteAdministrator")]
public ViewResult ApproveComment(int commentId) {
// Implement me
}
Are roles set as a cookie when a user first lots on, or will the Authorize attribute check with the Role Provider for each call to this action?
If it uses cookies, it'll be fast. However, it would be tricky to handle the case where a user is removed from a role unless they log out to delete the cookie.