How to use cookieless Forms Authentication in ASP.NET

ASP.NET supports cookieless forms authentication out of the box. You can configure it through the cookieless attribute of the <forms /> tag in the <authentication /> section:

 

<authentication mode=”Forms”>

<!– Detailed configuration options –>

<forms name=”MyCookieName”

loginUrl=”DbLogin.aspx”

cookieless=“AutoDetect” />

</authentication>

 

The next table describes cookieless option possible settings in details:

 

OptionDescription
UseCookies

Forces the runtime to use cookies when working with forms authentication. This requires the client browser to support cookies. If the browser does not support cookies, forms authentication will simply not work with that setting activated. As it will never receive a valid authentication cookie from the browser, ASP.NET redirects back to the login page over and over again, and you end up in an endless loop of presented login pages.

UseUri

If this configuration option is selected, cookies will not be used for authentication. Instead, the runtime encodes the forms authentication ticket into the request URL, and the infrastructure processes this specific portion of the URL for establishing the security context.

AutoDetect

Results in the use of cookies if the client browser supports cookies. Otherwise, URL encoding of the ticket will be used. This is established through a probing mechanism.

UseDeviceProfileResults in the use of cookies or URL encoding based on a device profile configuration stored on the web server. These profiles are stored in .browser files in the c:\[WinDir]\Microsoft.NET\Framework\[Version]\CONFIG\Browsers directory.