Home > Articles > Programming > .NET and Windows Programming

ASP.NET 2.0 Security

  • PrintPrint
  • Share ThisShare This
  • DiscussDiscuss
Close Window

Alex HomerRob HowardDave Sussman

Learn more…

Sorry, this author hasn't written any articles.

Sorry, this author doesn't have anything for sale.

Sorry, this author hasn't posted any blogs.

ASP.NET v. 2.0-The Beta Version, 2nd Edition

This chapter is from the book
ASP.NET v. 2.0-The Beta Version, 2nd Edition

Cookieless Forms Authentication

ASP.NET 1.0 introduced the Forms Authentication feature to allow developers to easily author ASP.NET applications that rely on an authentication mechanism they could control. Forms Authentication exposed a set of APIs that developers can simply call to authenticate the user, such as 

FormsAuthentication.RedirectFromLoginPage(Username.Text, False)

Forms Authentication in ASP.NET 1.0 would then take the username, encrypt it, and store it within an HTTP cookie. The cookie would be presented on subsequent requests and the user automatically reauthenticated.

One of the common feature requests the ASP.NET team continually received was the ability for Forms Authentication to support cookieless authentication, that is, to not require an HTTP cookie. This is just what the team has provided in ASP.NET 2.0.

Enabling Cookieless Forms Authentication

Cookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute (see Listing 6.21).

Example 6.21. Default Configuration for Forms Authentication

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms name=".ASPXAUTH"
             loginUrl="login.aspx"
             protection="All"
             timeout="30"
             path="/"
             requireSSL="false"
             slidingExpiration="true"
             defaultUrl="default.aspx"
             cookieless="UseCookies" />
    </authentication>
  </system.web>
</configuration>

The cookieless attribute has four possible values: [20]

  • UseUri: Forces the authentication ticket to be stored in the URL.

  • UseCookies: Forces the authentication ticket to be stored in the cookie (same as ASP.NET 1.0 behavior).

  • AutoDetect: Automatically detects whether the browser/device does or does not support cookies.

  • UseDeviceProfile: Chooses to use cookies or not based on the device profile settings from machine.config.

If we set the cookieless value to UseUri within web.config and then request and authenticate with Forms Authentication, we should see something similar to what Figure 6.15 shows within the URL of the requested page.

06fig15.jpgFigure 6.15 Cookieless Forms Authentication

Below is the requested URL—after authentication—in a more readable form:

http://localhost/Whidbey/GrocerToGo/(A(AcNzj7rSUh84OWViZTcwMi0xNWYyLTQ5ODAtYjU2NC0yYTg3MjEzMzRhY2Y`)F(uoG1wsK16NJFs7e2TJo2yNZ6eAZ8eoU9T8rSXZXLEPPM8STwp6EONVtt4YCqEeb-9XDrrEpIHRpOOlKh8rO9f0AhP6AXWwL*0bM bxYcfZc`))/default.aspx

  • Share ThisShare This
  • Your Account

Discussions

looking up email info
Posted Jan 5, 2009 04:56 PM by naladupls
0 Replies

Make a New Comment

You must log in in order to post a comment.

Related Resources

OnWebDevelopment (Video)OnWebDevelopment (Video)

Recent Episodes

 Subscribe
OnMicrosoft (Video + Audio)OnMicrosoft (Video + Audio)

Recent Episodes

 Subscribe

See More Podcasts

Jennifer BortelWin FREE iPhone Developer Books and Videos- Introducing @InformIT Giveaways
By Jennifer Bortel on February 5, 2010 No Comments

Apples’s recent iPad announcement made our hearts flutter so we couldn’t resist making an announcement of our own!

Today marks the first ever @InformIT Giveaway!

We’ll regularly post a video like this one profiling spectacular prizes we’re giving away—from books and videos to T-shirts and other exciting stuff. Check out the video below to see the giveaways for today, and then scroll down for more prize details and instructions on how to win them!

Dustin Sullivan"Every OSX developer should have this book on their desk."
By Dustin Sullivan on February 1, 2010 No Comments

That was the sentence Mike Riley ended his recent Dr Dobb's CodeTalk review of Cocoa Programming Developer's Handbook with.

David ChisnallCocoa Tip of the Day, 1/29/10
By David Chisnall on January 29, 2010 No Comments

Don't ignore old versions of OS X.

See All Related Blogs

Using .NET to Build a Distributed Web Application
By Eric Bell, Hao Howard Feng, Edward L. W. Soong, David Zhang, Shijia Sam Zhu
Becoming a Professional VB.NET Developer with Style
By Tim Patrick
CCSP Self-Study: Advanced AAA Security for Cisco Router Networks
By John Roland

See All Related Articles

DownloadJavaScript by Example, Rough Cuts, 2nd Edition
JavaScript by Example, Rough Cuts, 2nd Edition
By Ellie Quigley
Downloadable PDF$35.99
DownloadC# 4.0 How-To, Rough Cuts
C# 4.0 How-To, Rough Cuts
By Ben Watson
Downloadable PDF$35.99
DownloadPractical Code Generation in .NET: Covering Visual Studio 2005, 2008, and 2010, Rough Cuts
Practical Code Generation in .NET: Covering Visual Studio 2005, 2008, and 2010, Rough Cuts
By Peter Vogel
Downloadable PDF$44.99

See All Related Store Items

Informit Network