I've been reading a lot of articles about how to handle roles based security in ASP.NET and I've seen two popular methods of handling AuthenticateRequest and I'm curious which is preferred. (I've omitted most error checking to simplify the code).

Option 1 (from MSDN patterns & practices - extract cookie and decrypt):
---
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (authCookie == null)
return;
FormsAuthenticationTicket authTicket = null;
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] roles = authTicket.UserData.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity( authTicket );
GenericPrincipal principal = new GenericPrincipal(id, roles);
Context.User = principal;
---

Option 2 (various articles - cast identity, get forms ticket):
---
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
---

Option 2 makes me think the FormsAuthentication class is doing a lot of stuff behind the scenes but I haven't found the documentation on it (not that it doesn't exist). Is the FormsAuthentication class automatically picking up the cookie and decrypting it with each page request? And if this is the case, then why does the "official" MS method ignore this feature and do things manually?? Thanks for the input!