I changed my application to use "InProc" sessionState instead of "Off" because I need to preserve user selected language from page to page doing localization.
In web.sitemap I have this line:
<siteMapNode url="Admin.aspx" title="Administrator" description="Site administration" roles="Administrator" />
which before I changed sessionState to "InProc" worked as supposed to: menu item "Administrator" appeared as a menu choice only when user had logged in with admin rights. Now this menu choice is present for every user.
What could be reason behind this?
P.S. I derive every page from my BasePage.cs in App_Code directory overriding InitializeCulture method.
Are you calling Session.Abandon() as part of your logoff process?
The roles attribute doesn't do what you think. We all fell into this trap. Read http://blogs.ipona.com/davids/archive/2009/01/12/8554.aspx.
Roles are also stored in a cookie, for performance reasons. You can turn this off if you need to in web.config, in the roles section, with cacheRolesInCookie="false". The real problem is the roles attribute though.
I was not using cookies:
<sessionState mode="InProc" cookieless="true" timeout="60"/>
After this it worked:
<sessionState mode="InProc" cookieless="false" timeout="60"/>