I am learning/using ASP.NET Identity 2 (specifically 2.2, I think, but I'm not at the PC with the code right now) with my own database structure, based on the post 'ASP.NET Identity Stripped Bare - MVC Part 1' and its follow-up (part 2, natch) post. I've made a few changes as necessary to use it with Web Forms and VB, since that's what I know best and I don't want to try to learn two things at once if it's unnecessary. I'm also using roles for managing access to different areas of the application.
After looking at the database queries that go back and forth during login and moving around the application, it appears that the roles - as well as the other claims - are stored in the authentication cookie.
Should I be worried, given that the cookie is largely in the hands of the client? Are the claims cached on the web server, not in the cookie? If they are in the cookie and that's a problem, what can I do about it?
The claims etc are stored in the cookie, but they're encrypted. So, they're as secure as the encryption on that cookie.
That encryption is AES, which has no known practical attacks. If your machineKey is stolen, then you're in trouble there - but a lot more trouble than rogue cookies.