I recently had to retrofit someone else’s .NET Forms Authentication code to use custom roles. In the past, I’ve had a lot of success using the UserData field of the FormsAuthenticationTicket to store a delimited string of roles, then using the AuthenticateRequest method of Global.asax to set the custom roles for the user.

However, it wasn’t working properly, and I went through a couple agonizing hours of pulling my hair out before I got to the cause of the problem. But first, a note about the clue: when I set the custom FormsAuthenticationTicket, I set the version attribute to “1″. However, when I inspected the returned ticket in AuthenticateRequest, the version was “2″. Funny? I thought so. The ticket was encrypted (of course), so I couldn’t really inspect the raw data, but the only other difference between what I was setting and what I was retrieving was the blank UserData field.

It turns out that the login routine called FormsAuthentication.RedirectFromLoginPage() – which effectively overwrote my nice custom ticket, and replaced it with Mr. Generic Ticket with no UserData, and thus no roles.

Moral: if you are setting a custom ticket, make sure you do a normal Response.Redirect(string) call, NOT FormsAuthentication.RedirectFromLoginPage(), or else you’ll overwrite your ticket.