Corinna,

In your example i'd say its not necessary to use role-based security. Since
there's only 1 level of membership as you say then all I would do is make
unauthenticated users restricted from accessing the news articles. The
cookies are set on the client machine but you can use encryption and SSL to
make sure only they see their cookie information.

Janaka

"Corinna K" <anonymous@discussions.microsoft.com> wrote in message
news:E8239664-BFE6-418F-97E1-1221B585FC45@microsoft.com...
> I'm in the design phase of a simple online store application where
customers purchase access to news articles (pdf files). They receive a
username+password in the mail and they use it to access the site. Basically,
in the database there is a simple mapping between the member id and the pdf
files which they suscribed to.
>
> If there is only one level of membership (there are no "privileged"
members), do I really need role based security?
> Also, there are no online db adminstration features.
> I also have a question on forms based authentication: are the cookies
stored on the customer's computer or on the webserver? With all the
encyption available, shouldn't this pose a threat to the security of the
application?
> CK
> TIA