6.5. Using Cookieless Forms Authentication

ASP.NET 2.0 and ASP.NET 3.5 automatically support issuing and managing forms authentication tickets in a cookieless manner. The process starts by ASP.NET inspecting the request URL, looking for any cookieless tickets. In ASP.NET 2.0 and 3.5, cookieless tickets are supported for session state (this was also available in 1.1), forms authentication (previously available as part of the mobile support in ASP.NET), and anonymous identification (introduced since ASP.NET 2.0). A sample URL with a cookieless session state ticket is shown here:

http://localhost/inproc/(S(tuucni55xfzj2xqx1mnqdg55))/Default.aspx

ASP.NET reserves the path segment immediately after the application's virtual root as the location on the URL where cookieless tickets are stored. In this example, the application was called inproc, so the next path segment is where ASP.NET stored the cookieless tickets. All cookieless tickets are stored within an outer pair of parentheses. Within these, there can be a number of cookieless tickets, each starting with a single letter indicating the feature that consumes the ticket, followed by a pair of parentheses that contain the cookieless ticket. Currently, the following three identifiers are used:

  • S: Cookieless ticket for session state

  • A: Cookieless ticket for anonymous identification

  • F: Cookieless ticket for forms authentication

At some stage during the request life cycle, ASP.NET removes the cookieless tickets from the URL and inserts ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial