Cookieless forms authentication
They say, its not possible. Well it is, and relatively easy to accomplish!
Lot of companies and people want to exclude cookie usage from their lives.
Partly because its said to be insecure, partly because they see no reason to
Of course I've started with the normal forms authentication, cause I believed,
They did. After searching all the forums how to skip cookie usage, all I've found was this:
The hard way
If you pass the encoded cookie as a
GET parameter to the
function, the system will work as normal: the user will be signed in until the parser
can find the cookie as a
GET parameter, or a cookie is not easy, and
makes no sense at all.
The code snippet to accomplish the "get" way of cookieless authentication is:
tkt = new FormsAuthenticationTicket(1, userName, DateTime.Now,
DateTime.Now.AddMinutes(30), false, "your custom data");<BR>
cookiestr = FormsAuthentication.Encrypt(tkt);
string strRedirect = Request["ReturnUrl"] + "?.ASPXFORMSAUTH2=" + cookiestr;
This is useless, I tell you. Completely unpleasant, and insecure (you have to
change all the links, which of course you won't)
And here is the way, you can do it:
No authentication tag needed beside the "none". The next line in the web.config will tell the
framework not to store the session ID in a cookie, but add as a special directory to the address field.
<sessionState cookieless="true" timeout="20" />
After adding this line, the address field will always look like:
As you can see, on each request, the session ID is passed as a directory. Very smart solution from MS!
When you want to create a link with get parameters to another page, you have to pay attention
to it, since calling an aspx without the session ID in the address will create a
new session. So, to create a link, that has
GET parameters, do this:
string url =
"http://" + Request.Headers["Host"] + "/" +
"/(" + Session.SessionID +
(OK, I needed it. Usually people don't care about
GET parameters, so probably you won't need it.)
The coding part
In global.asax.cs, add:
private void InitializeComponent()
this.AcquireRequestState += new
void Global_AcquireRequestState(object sender, System.EventArgs e)
if((string)Session["Authenticated"] != "Name-John")
If the user entered valid codes (check them however you like), in
set the session variable
Authenticated to code
Name-John, so the global will let the
users download pages.
Session["Authenticated"] = "Name-John";
As you see, this is a pure redirect function. No ASP.NET forms authentication is used.
On the default.aspx, place whatever you want. Those controls will
be in safety. If you want to sign out the user, call this code:
Misc good to knows
After clicking the sign-out, the user will be back on login.aspx. If he presses back,
he can see the page from his browser's cache, but cannot click anything. It could be wise
to set the cache expiration.
If you press [Back], then [Refresh], the explorer will asks for
"The page cannot be refreshed without resending the information",
and prompts for "Retry/Cancel".
Usually, when someone presses retry, the password is sent again, and the user
is signed in again. Well, not in our case
Tools / Internet Options. Go Privacy, and block all cookies, then try to sign in'n'out.
If you have any questions/comments, please send it to me!