Taking advantage of cookieless authentication, you can use Forms Authentication and ASP.NET Membership to authenticate users even when someone is using a browser that does not support cookies or a browser with cookies disabled.
When cookieless authentication is enabled, a user can be identified by a unique token added to a page’s URL. If a user uses relative URLs to link from one page to another, then the token is passed from page to page automatically and the user can be identified across multiple page requests.
When you request a page that requires authentication and cookieless authentication is enabled, the URL in the browser address bar looks like this:
http://localhost:1104/mywebsite/(F(WfAnevWxFyuN4SpenRclAEh_lY6OKWVllOKdQkRktOqV7cfcrgUJ2NKxNhH9dTA7fgzZ-cZwyr4ojyU6EnarC-bbf8g4sl6m4k5kk6Nmcsg1))/myFiles/file.aspx
That long, ugly code in the URL is the user’s encoded authentication ticket.
You configure cookieless authentication by assigning a value to the cookieless attribute of the forms element in the web configuration file. The cookieless attribute accepts any of the following four values:
- UseCookies : Always use an authentication cookie.
- UseUri : Never use an authentication cookie.
- AutoDetect : Automatically detect when to use an authentication cookie.
- UseDeviceProfile : Use the device profile to determine when to use an authentication cookie.
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers
By default, the ASP.NET Framework never uses cookieless authentication with a browser such as Microsoft Internet Explorer. According to the device profile for Internet Explorer,Internet Explorer supports cookies, so cookieless authentication is not used. The Framework doesn’t use cookieless authentication even when cookies are disabled in a browser.
If you want the ASP.NET Framework to automatically detect whether a browser supports cookies, then you need to set the cookieless attribute to the value AutoDetect. When AutoDetect is enabled, the ASP.NET Framework checks whether a browser sends an HTTP COOKIE header. If the COOKIE header is present, then an authentication cookie is assigned to the browser. Otherwise, the ASP.NET Framework uses cookieless authentication.
The web configuration file enables AutoDetect.
<configuration>
<system.web>
<authentication mode=”Forms”>
<forms cookieless=”AutoDetect”/>
</authentication>
</system.web>
</configuration>