ASP.NET supports cookieless forms authentication out of the box. You can configure it through the cookieless attribute of the <forms /> tag in the <authentication /> section:


<authentication mode=”Forms”>

<!– Detailed configuration options –>

<forms name=”MyCookieName”


cookieless=“AutoDetect” />



The next table describes cookieless option possible settings in details:


Option Description

Forces the runtime to use cookies when working with forms authentication. This requires the client browser to support cookies. If the browser does not support cookies, forms authentication will simply not work with that setting activated. As it will never receive a valid authentication cookie from the browser, ASP.NET redirects back to the login page over and over again, and you end up in an endless loop of presented login pages.


If this configuration option is selected, cookies will not be used for authentication. Instead, the runtime encodes the forms authentication ticket into the request URL, and the infrastructure processes this specific portion of the URL for establishing the security context.


Results in the use of cookies if the client browser supports cookies. Otherwise, URL encoding of the ticket will be used. This is established through a probing mechanism.

UseDeviceProfile Results in the use of cookies or URL encoding based on a device profile configuration stored on the web server. These profiles are stored in .browser files in the c:\[WinDir]\Microsoft.NET\Framework\[Version]\CONFIG\Browsers directory.