I'm not saying you have to use the IPrincipal class, I'm just suggesting
that you should use it where appropriate.
With IPrincipal, you get a lot more support from the Framework. For
example, if you use Windows authentication in IIS, the IPrincipal in the
current HttpContext will already contain a WindowsPrincipal that has all of
the user's domain groups in it. You don't have to do anything. IPrincipal
lets you use the PrincipalPermission class as well as the
PrincipalPermissionAttribute class, so that you you can just add attributes
to you code to allow access.
IPrincipal integrates with the UrlAuthorizationModule, so you can allow and
deny access to various resources in your ASP.NET application via the
<allow/> and <deny/> tags in web.config.
Finally, IPrincipal is associated with the currently executing thread, so
you can get the IPrincipal associated with the request from components that
have no reference to your ASP.NET code or session variables by simply
calling Thread.CurrentThread.CurrentPrincipal (or using the
PrincipalPermission or PrincipalPermissionAttribute classes). Thus if your
code is factored into several tiers (as is the generally recommended .NET
application architecture), you still have all of these role-based security
services available to you.
You don't get any of that extra support by simply having a function and
using session variables.
It is still possible to store your role-information in session state if you
like. In that case, the general practice is to handle the
Application_AuthenticateRequest event in global.asax and create the
IPrincipal object based on your stored groups in that function. Thus it is
very easy to integrate into the .NET role-based security framework. You can
also do this in an HttpModule very easily. This isn't really significantly
more work than writing a function to check group membership.
So, I'm not saying that you have to use IPrincipal. I'm simply suggesting
that there are some compelling benefits you get from using the APIs the way
they were intended and it isn't very difficult to integrate with the system.
HTH,
Joe K.