What happens if Forms Authentication enabled and Cookies are disabled ?
What happens in Forms authentication And if cookies are disabled?
< loginurl="login.aspx" timeout="30" protection="All" path="/"><authorization>
< users="?"> < /authorization > < mode="InProc"> stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="true" timeout="20" />
Mangled URLs are used during sessions due to the cookieless=true setting.
But why is the authentication cookie (in my case, its name is ASPXAUTH) also carried in the URIs? I know that this cookies is needed to be present in HTTP headers, but what configuration has defined this cookie is embedded in the query string of the URL like this?
The answer is simple but again requires you to consider the trade-offs when using cookieless sessions. This behavior is largely in part because the SessionStateModule class writes data to the cookies collection using HttpRequest.AddResponseCookie()
The AddResponseCookie() method looks to see if the cookie collection is null (and it will be if you are using cookieless sessions). If it is null, it will then append the asp.net auth cookie to an internal HttpValueCollection. These values are then written to the QueryString when the handler writes the response back to the user.
The fact that this is an cookie doesn't go away because it's a "special cookie". In fact, what good would your cookie do if it was, in fact, written back in the header?
The whole reason behind cookieless sessions is to allow sites to work that don't support client-side cookies. If someone didn't support cookies, and your authentication cookie was written back in the header instead of the QueryString, your cookie-based forms authentication cookie wouldn't work either.
Keep this in mind when enabling cookieless sessions and forms authentication together.
Reference : MSDN for .Net
Labels: Forms authentication and Cookies disabled in ASP.Net
posted by shrinivasmw at
11:39 PM
0 Comments:
Post a Comment
<< Home