My guess would be that you see no session state, because your roles are enumerated before the session state is made available (for your HttpContext object). In this lifecycle documentation, AuthorizeRequest is listed AcquireRequestState, which means you won't have access to session state.
Two alternative suggestions (I prefer the last one, myself):
Hope it helps you out.
I'm trying to create a new, virtual role that checks for a particular key to be present within a user's session, but the session object is always null. Here's a simplified version of the virtual role. What am I doing wrong?
The virtual role is being added in the web.config's <virtualRoles> section as follows: