I have the following code in global.asax, which picks up a logged in users roles from a db.<BR><BR><BR>if (not(HttpContext.Current.User is Nothing)) then<BR>if HttpContext.Current.User.Identity.AuthenticationTy pe "Forms" then<BR> Dim id as System.Web.Security.FormsIdentity<BR> id = HttpContext.Current.User.Identity<BR> SQL = "SELECT dbo.ADMIN_USERS_PERMISSIONS.* "<BR> SQL = SQL & "FROM dbo.ADMIN_USERS_PERMISSIONS "<BR><BR> SQL = SQL & "WHERE dbo.ADMIN_USERS_PERMISSIONS.USER_TYPE_ID= "<BR><BR> SQL = SQL & "&#039;" & HttpContext.Current.User.Identity.Name & "&#039;"<BR><BR> con = New SqlConnection("connstring")<BR> cmd = New SqlCommand()<BR> cmd.CommandText = SQL<BR> cmd.Connection = con<BR> con.open()<BR><BR> dat = cmd.ExecuteReader()<BR> if dat.Read() then<BR> for i = 3 to dat.fieldcount -1<BR> if dat(i) = "T"<BR> roleList.Add(<BR>Dat.GetName(i) )<BR> end if<BR> next<BR> end if<BR> dat.Close()<BR><BR> Dim roleListArray As String() = roleList.ToArray(GetType(String))<BR><BR>HttpConte xt.Current.User = new<BR>System.Security.Principal.GenericPrincipal( id,roleListArray)<BR><BR><BR>Questions:<BR><BR>Why is it that if I try to run the same code that is currently within Application_AuthenticateRequest from another sub in say sub setroles() in login.aspx it doesn&#039;t set these roles and no errors are thrown (making me think it is working, but it aint)?<BR><BR>If it is just not possible to do this sort of thing outside of global.asax&#039;s application_authenication method, then how can I test if a users roles have been set, so that this code that is calling a DB is not run every time a request is made to any page within the website, which is what it is doing.<BR><BR>Someone suggest putting this in the session_onstart, but that would mean it would be fired before the person had even submitted their login details through login.aspx<BR><BR>I cant use user.identity.name (althought that is whats shown in the code above) to store this id as it being used for another id that I need to keep a hold of for that&#039;s users session?<BR><BR>The only other option I have is to set about 15-20 session vars when the user logs in and use them to determine a users roles/permissions throughout other pages, but this seems a bit of a waste when there is something built into the framework to handle this.<BR><BR><BR><BR>Yours totally confused!<BR>