Cookieless Forms Authentication
ASP.NET 1.0 introduced the Forms Authentication feature to allow developers to easily author ASP.NET applications that rely on an authentication mechanism they could control. Forms Authentication exposed a set of APIs that developers can simply call to authenticate the user, such as
Forms Authentication in ASP.NET 1.0 would then take the username, encrypt it, and store it within an HTTP cookie. The cookie would be presented on subsequent requests and the user automatically reauthenticated.
One of the common feature requests the ASP.NET team continually received was the ability for Forms Authentication to support cookieless authentication, that is, to not require an HTTP cookie. This is just what the team has provided in ASP.NET 2.0.
Enabling Cookieless Forms Authentication
Cookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute (see Listing 6.21).
Example 6.21. Default Configuration for Forms Authentication
<configuration> <system.web> <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" /> </authentication> </system.web> </configuration>
The cookieless attribute has four possible values: 
UseUri: Forces the authentication ticket to be stored in the URL.
UseCookies: Forces the authentication ticket to be stored in the cookie (same as ASP.NET 1.0 behavior).
AutoDetect: Automatically detects whether the browser/device does or does not support cookies.
If we set the cookieless value to UseUri within web.config and then request and authenticate with Forms Authentication, we should see something similar to what Figure 6.15 shows within the URL of the requested page.
Figure 6.15 Cookieless Forms Authentication
Below is the requested URLafter authenticationin a more readable form: