We use a custom RoleProvider to get our roles for our ASP.NET application. It is getting the roles properly, but if we enable the cacheRolesInCookie option in our web.config file. The cookie doesn't get set after we upgraded to .NET 4.5. It still works in our site in .NET 4.0 but whenever we install the 4.5 framework (even when we are still targeting 4.0 in our site), the cookie doesn't get set.
This is what we expect (what we get on our site when in 4.0):
Set-Cookie: .CUSTOMROLES=<LOTS OF DATA>; path=/; HttpOnly
And this is what I get after I upgraded my local dev box to 4.5 (after installing VS2012)
Set-Cookie: .CUSTOMROLES=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
This is the setting in web.config
<roleManager defaultProvider="CustomRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".DELTAROLES" cookieTimeout="75" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" >
Also, we have two different RoleProviders and the issue happens with both, also, regardless of what the name of the cookie is and I tried different values for the other cookie options.
Lastly, the GetRolesForUser() function is being called twice because it is not being cached in the cookie properly. Both times it does give the correct roles. Its just not making it to the cookie
EDIT:
I did some more digging and I found out that apparently there is a max-cookie length of 4096 (non-configurable) and the output of RolePrincipal.ToEncryptedTicket is 5698. I am not sure why this is different than it was in .NET 4.0 but it is different. So, I at least, found out why the cookie isn't being set, although I can't imagine why it is trying to be so big as our RoleProvider only gives a maximum of 2 roles, so I don't know what else it is trying to store.
So, I looked at this more and apparently its just simply a bug in .NET 4.5 making it bigger than expected. Microsoft has released a hotfix for it which can be found here: http://support.microsoft.com/kb/2750147