Cookieless Forms Authentication in ASP.Net

Forms authentication uses a cookie to identify a user. However, Forms authentication also supports a feature named cookieless authentication. When cookieless authentication is enabled, a user can be identified without a browser cookie.

Taking advantage of cookieless authentication, you can use Forms Authentication and ASP.NET Membership to authenticate users even when someone is using a browser that does not support cookies or a browser with cookies disabled.

When cookieless authentication is enabled, a user can be identified by a unique token added to a page’s URL. If a user uses relative URLs to link from one page to another, then the token is passed from page to page automatically and the user can be identified across multiple page requests.

When you request a page that requires authentication and cookieless authentication is enabled, the URL in the browser address bar looks like this:

http://localhost:1104/mywebsite/(F(WfAnevWxFyuN4SpenRclAEh_lY6OKWVllOKdQkRktOqV7cfcrgUJ2NKxNhH9dTA7fgzZ-cZwyr4ojyU6EnarC-bbf8g4sl6m4k5kk6Nmcsg1))/myFiles/file.aspx

That long, ugly code in the URL is the user’s encoded authentication ticket.
You configure cookieless authentication by assigning a value to the cookieless attribute of the forms element in the web configuration file. The cookieless attribute accepts any of the following four values:
  • UseCookies : Always use an authentication cookie.
  • UseUri : Never use an authentication cookie.
  • AutoDetect : Automatically detect when to use an authentication cookie.
  • UseDeviceProfile : Use the device profile to determine when to use an authentication cookie.
The default value is UseDeviceProfile. By default, the ASP.NET Framework issues a cookie only when a particular type of device supports cookies. The ASP.NET Framework maintains a database of device capabilities in a set of files contained in the following folder:
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers

By default, the ASP.NET Framework never uses cookieless authentication with a browser such as Microsoft Internet Explorer. According to the device profile for Internet Explorer,Internet Explorer supports cookies, so cookieless authentication is not used. The Framework doesn’t use cookieless authentication even when cookies are disabled in a browser.

If you want the ASP.NET Framework to automatically detect whether a browser supports cookies, then you need to set the cookieless attribute to the value AutoDetect. When AutoDetect is enabled, the ASP.NET Framework checks whether a browser sends an HTTP COOKIE header. If the COOKIE header is present, then an authentication cookie is assigned to the browser. Otherwise, the ASP.NET Framework uses cookieless authentication.
The web configuration file enables AutoDetect.

<configuration>
<system.web>
<authentication mode=”Forms”>
<forms cookieless=”AutoDetect”/>
</authentication>
</system.web>
</configuration>
Tags: , ,
Hot on Web:


About author