If you want the cookie to be passed to all subdomains you need to customize the exists is because many user agents do not permit cookies larger than 4,096 bytes.
So this cap is meant to reduce the likelihood of exceeding this size limitation.
Anyone could visit this page, but only authenticated users could view the files' contents and only Tito could delete the files.
Applying authorization rules on a user-by-user basis can grow into a bookkeeping nightmare.
URL authorization rules can specify roles instead of users.
The Login View control, which renders different output for authenticated and anonymous users, can be configured to display different content based on the logged in user's roles.
If the user's browser does not support cookies, or if their cookies are deleted or lost, somehow, it's no big deal – the Note Microsoft's Patterns & Practices group discourages using persistent role cache cookies.
This tutorial starts with a look at how the Roles framework associates a user's roles with his security context.
The default value is "/", which informs the browser to send the authentication ticket cookie to any request made to the domain. The default value is an empty string, which causes the browser to use the domain from which it was issued (such as
In this case, the cookie will not be sent when making requests to subdomains, such as admin.
A more maintainable approach is to use role-based authorization.
The good news is that the tools at our disposal for applying authorization rules work equally well with roles as they do for user accounts.