ASP.NET 1.0 introduced the Forms Authentication feature to allow developers to easily author ASP.NET applications that rely on an authentication mechanism they could control. Forms Authentication exposed a set of APIs that developers can simply call to authenticate the user, such as
FormsAuthentication.RedirectFromLoginPage(Username.Text, False)
Forms Authentication in ASP.NET 1.0 would then take the username, encrypt it, and store it within an HTTP cookie. The cookie would be presented on subsequent requests and the user automatically reauthenticated.
One of the common feature requests the ASP.NET team continually received was the ability for Forms Authentication to support cookieless authentication, that is, to not require an HTTP cookie. This is just what the team has provided in ASP.NET 2.0.
Enabling Cookieless Forms Authentication
Cookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute.
Default Configuration for Forms Authentication
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies" />
</authentication>
</system.web>
</configuration>
The cookieless attribute has four possible values:
- UseUri: Forces the authentication ticket to be stored in the URL.
- UseCookies: Forces the authentication ticket to be stored in the cookie (same as ASP.NET 1.0 behavior).
- AutoDetect: Automatically detects whether the browser/device does or does not support cookies.
- UseDeviceProfile: Chooses to use cookies or not based on the device profile settings from machine.config.
