Click here to Skip to main content
11,429,154 members (52,018 online)
Click here to Skip to main content

Cookieless ASP.NET forms authentication

, 25 Aug 2002
Rate this:
Please Sign up or sign in to vote.
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!

Cookieless forms authentication

Why, when?

They say, its not possible. Well it is, and relatively easy to accomplish!

Lot of companies and people want to exclude cookie usage from their lives. Partly because its said to be insecure, partly because they see no reason to use it.

In my case, it was mandatory not to use cookies, but make a forms login page. Of course I've started with the normal forms authentication, cause I believed, that the big brother couldn't make such a mistake, to use cookies.

They did. After searching all the forums how to skip cookie usage, all I've found was this:

The hard way

If you pass the encoded cookie as a GET parameter to the Response.Redirect() function, the system will work as normal: the user will be signed in until the parser can find the cookie as a GET parameter, or a cookie is not easy, and makes no sense at all.

The code snippet to accomplish the "get" way of cookieless authentication is:

FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;

//create a valid ticket for forms authentication
tkt = new FormsAuthenticationTicket(1, userName, DateTime.Now,
DateTime.Now.AddMinutes(30), false, "your custom data");<BR>

//get the string representation of the ticket
cookiestr = FormsAuthentication.Encrypt(tkt);

//redirect to the return URL using the cookie in the address field
//In the web.config, we called out auth. ASPXFORMSAUTH2, so set that value
string strRedirect = Request["ReturnUrl"] + "?.ASPXFORMSAUTH2=" + cookiestr;
Response.Redirect(strRedirect, true);

This is useless, I tell you. Completely unpleasant, and insecure (you have to change all the links, which of course you won't)

And here is the way, you can do it:

The configuration

No authentication tag needed beside the "none". The next line in the web.config will tell the framework not to store the session ID in a cookie, but add as a special directory to the address field.

<sessionState cookieless="true" timeout="20" />

After adding this line, the address field will always look like:

http://localhost/samplecookieless/(lvymatawljpjtl55d4awjg55)/login.aspx

As you can see, on each request, the session ID is passed as a directory. Very smart solution from MS! When you want to create a link with get parameters to another page, you have to pay attention to it, since calling an aspx without the session ID in the address will create a new session. So, to create a link, that has GET parameters, do this:

string url =
string.Format(
// we build the whole link. Firstly, we get our host name
 "http://" + Request.Headers["Host"] + "/" + 
// then the path of the request, and append the session ID, as shown above
 Request.ApplicationPath + 
 "/(" + Session.SessionID + 
// simply add the target page with the HTTP-GET parameters.
 ")/Main.aspx?{0}={1}&{2}={3}",
 "State", state.ToString(),
 "Lang", langID.ToString()
);

(OK, I needed it. Usually people don't care about GET parameters, so probably you won't need it.)

The coding part

In global.asax.cs, add:

private void InitializeComponent()
{  // This tells the global to catch all session initialization events,
   // So before every page load, we will have the Global_Acq. called! Good starting!
   this.AcquireRequestState += new
   System.EventHandler(this.Global_AcquireRequestState);
}
private
void Global_AcquireRequestState(object sender, System.EventArgs e)
{ 
	//This tells the global to check whether code "Name-John" is in the session 
	//variable, called "Authenticated". To say it simple, 
	//checks, whether someone set this 
	//variable.
	if((string)Session["Authenticated"] != "Name-John")
	// If yes, do nothing, so the requested page will load.
		{
		// If it's not set yet, redirect to the login page, 
		// if the caller is not the login page already. If it is, we don't 
		//want loops, so let is load
		if(!Request.Path.EndsWith("login.aspx"))
		{
			Response.Redirect("login.aspx");
			Response.End();
		}
	}
}

If the user entered valid codes (check them however you like), in login.apsx.cs, set the session variable Authenticated to code Name-John, so the global will let the users download pages.

Session["Authenticated"] = "Name-John";
//the auth is successfull, so send the user to the page
Response.Redirect("default.aspx", true);

As you see, this is a pure redirect function. No ASP.NET forms authentication is used. On the default.aspx, place whatever you want. Those controls will be in safety. If you want to sign out the user, call this code:

//signs out
Session.Abandon();
//redirects to itself. This will redirect to login.aspx, cos we are signed out
Response.Redirect(Request.Path,true);

Misc good to knows

After clicking the sign-out, the user will be back on login.aspx. If he presses back, he can see the page from his browser's cache, but cannot click anything. It could be wise to set the cache expiration.

If you press [Back], then [Refresh], the explorer will asks for "The page cannot be refreshed without resending the information", and prompts for "Retry/Cancel".

Usually, when someone presses retry, the password is sent again, and the user is signed in again. Well, not in our case

You can try, that this method really doesn't use cookies: in Internet Explorer, go Tools / Internet Options. Go Privacy, and block all cookies, then try to sign in'n'out.

If you have any questions/comments, please send it to me!

Sincerely, Adam

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

brutal

Hungary Hungary
No Biography provided

Comments and Discussions

 
GeneralMy vote of 3 Pin
HyderabadRocker Prasad18-Nov-12 6:50
memberHyderabadRocker Prasad18-Nov-12 6:50 
GeneralCookieless Session in ASP.NET Pin
elizas18-Mar-10 0:04
groupelizas18-Mar-10 0:04 
QuestionHow to Logout for single login machine before session timeout? Pin
yogi229-Apr-09 17:37
memberyogi229-Apr-09 17:37 
GeneralThat's the wrong way. Pin
Member 37673541-Jul-08 11:20
memberMember 37673541-Jul-08 11:20 
QuestionSessions Pin
stixoffire2-Apr-08 0:45
memberstixoffire2-Apr-08 0:45 
AnswerRe: Sessions Pin
Member 37673541-Jul-08 11:23
memberMember 37673541-Jul-08 11:23 
GeneralRe: Sessions Pin
stixoffire1-Jul-08 18:51
memberstixoffire1-Jul-08 18:51 
GeneralRe: Sessions Pin
Fernando L Rodriguez, MCP2-Jul-08 9:04
memberFernando L Rodriguez, MCP2-Jul-08 9:04 
GeneralSecurity risk Pin
dfgdiewocxn27-Feb-08 4:00
memberdfgdiewocxn27-Feb-08 4:00 
GeneralURGENT : Cookies-Transfer frm one application to another Pin
Prishuk13-Oct-07 2:06
memberPrishuk13-Oct-07 2:06 
AnswerRe: URGENT : Cookies-Transfer frm one application to another Pin
stixoffire2-Apr-08 0:15
memberstixoffire2-Apr-08 0:15 
Questioncookieless at runtime Pin
Alexandru Stanciu26-Mar-07 6:00
memberAlexandru Stanciu26-Mar-07 6:00 
AnswerRe: cookieless at runtime Pin
chestnutt27-Mar-07 6:09
memberchestnutt27-Mar-07 6:09 
GeneralRe: cookieless at runtime Pin
Fernando L Rodriguez, MCP2-Jul-08 9:14
memberFernando L Rodriguez, MCP2-Jul-08 9:14 
Generalpage Refreash Pin
s70284028-Jan-06 1:58
members70284028-Jan-06 1:58 
Questionpossibe security problem? Pin
landonjb4-Nov-05 13:06
memberlandonjb4-Nov-05 13:06 
AnswerRe: possibe security problem? Pin
stixoffire2-Apr-08 0:12
memberstixoffire2-Apr-08 0:12 
Generaltrace.axd Pin
Thijs Cobben19-Oct-04 6:00
sussThijs Cobben19-Oct-04 6:00 
QuestionWhat about webfarms Pin
Anonymous9-Dec-03 14:23
sussAnonymous9-Dec-03 14:23 
AnswerRe: What about webfarms Pin
toen_work19-Jan-04 1:41
membertoen_work19-Jan-04 1:41 
GeneralCookies and Sessions Pin
Anonymous27-Oct-03 7:57
sussAnonymous27-Oct-03 7:57 
Generalweb.config inn subdirectory Pin
Majid Shahabfar27-Oct-03 0:57
memberMajid Shahabfar27-Oct-03 0:57 
Generalweb.config Pin
Anonymous23-Oct-03 8:52
sussAnonymous23-Oct-03 8:52 
QuestionCookieless not cookieless? Pin
bhbattaglin26-Aug-03 0:42
sussbhbattaglin26-Aug-03 0:42 
GeneralStill a lot of thinking on session. Pin
wyx20007-Jun-03 12:06
memberwyx20007-Jun-03 12:06 
GeneralRe: Still a lot of thinking on session. Pin
UUmapathi24-Mar-05 5:49
memberUUmapathi24-Mar-05 5:49 
GeneralSession problems Pin
Agyklon30-May-03 2:48
memberAgyklon30-May-03 2:48 
GeneralThe same thing in VB Pin
davegrr21-May-03 19:21
memberdavegrr21-May-03 19:21 
GeneralRe: The same thing in VB Pin
Paul Bentley12-Aug-03 23:31
sussPaul Bentley12-Aug-03 23:31 
GeneralHttpContext.Current.User disapears with your method Pin
xwing2k121-Apr-03 20:21
memberxwing2k121-Apr-03 20:21 
GeneralRe: HttpContext.Current.User disapears with your method Pin
Vinay Chopra26-Apr-04 14:12
sussVinay Chopra26-Apr-04 14:12 
GeneralThey say, its not possible. Well it is, and relatively easy to accomplish! Pin
Schoenholzer27-Mar-03 7:08
memberSchoenholzer27-Mar-03 7:08 
GeneralRe: They say, its not possible. Well it is, and relatively easy to accomplish! Pin
mstachura16-Jun-03 22:45
membermstachura16-Jun-03 22:45 
GeneralRe: They say, its not possible. Well it is, and relatively easy to accomplish! Pin
Schoenholzer3-Jul-03 4:39
memberSchoenholzer3-Jul-03 4:39 
GeneralEasy Way Pin
Sefai Tandoğan27-Mar-03 0:09
memberSefai Tandoğan27-Mar-03 0:09 
QuestionRe: Easy Way Pin
stixoffire2-Apr-08 0:08
memberstixoffire2-Apr-08 0:08 
QuestionOther way to do this ? Pin
LaMagra27-Aug-02 0:11
memberLaMagra27-Aug-02 0:11 
GeneralPLEASE VOTE! Pin
brutal26-Aug-02 0:05
memberbrutal26-Aug-02 0:05 
GeneralRe: PLEASE VOTE! Pin
RAS200516-Jun-05 10:14
memberRAS200516-Jun-05 10:14 
GeneralRe: PLEASE VOTE! Pin
Tall Chap24-Sep-05 3:54
sussTall Chap24-Sep-05 3:54 
AnswerRe: PLEASE VOTE! Pin
Vladimirs Kuzmins20-Apr-07 6:03
memberVladimirs Kuzmins20-Apr-07 6:03 
GeneralQuick question Pin
Mazdak25-Aug-02 20:40
memberMazdak25-Aug-02 20:40 
GeneralRe: Quick question Pin
brutal25-Aug-02 23:59
memberbrutal25-Aug-02 23:59 
GeneralRe: Quick question Pin
Anonymous2-Sep-02 4:15
sussAnonymous2-Sep-02 4:15 
GeneralRe: Quick question Pin
brutal2-Sep-02 23:45
memberbrutal2-Sep-02 23:45 
GeneralRe: Quick question Pin
Anonymous21-Jun-04 16:28
sussAnonymous21-Jun-04 16:28 
GeneralSecurity Problem Pin
Nick Parker25-Aug-02 10:45
memberNick Parker25-Aug-02 10:45 
GeneralRe: Security Problem Pin
Blake Coverett25-Aug-02 13:29
memberBlake Coverett25-Aug-02 13:29 
GeneralRe: Security Problem Pin
brutal25-Aug-02 23:56
memberbrutal25-Aug-02 23:56 
GeneralRe: Security Problem Pin
Anonymous26-Aug-02 8:19
sussAnonymous26-Aug-02 8:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150428.2 | Last Updated 26 Aug 2002
Article Copyright 2002 by brutal
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid