Tutorial: How to do Cookieless ASP.NET Forms Authentication

Background

A cookie is a piece of text that a Web site can park on a user's machine to be retrieved and reused later. The information stored consists of harmless name-value pairs.

Cookies store the ID of the session and browsers transparently move their contents back and forth between the Web server and the local user's machine. When a cookie-enabled browser receives a response packet, it looks for attached cookies and stores their content to a text file in a particular folder in the local Windows directory. Next, when the browser sends a request to the site, it looks in the cookies folder for a cookie that originated from that domain. If found, the cookie is automatically attached to the outgoing packet. The cookie hits the server application where it is detected, extracted, and processed. In the end, cookies make Web sites much easier to navigate because they provide the illusion of continuity on top of a user's experience that necessarily spans over multiple requests.

 

Problem of Cookies

Cookies were alleged to contain dangerous programs capable of stealing valuable information even beyond the physical boundaries of the machine. Cookies are not programs and never run like programs; other software that gets installed on your machine, though, can use the built-in browser support for cookies to do bad things remotely. Furthermore, cookies are at risk of theft. Once stolen, a cookie that contains valuable and personal information can disclose its contents to malicious hackers and favor other types of Web attacks. In summary, by using cookies you expose yourself to risks that can be zeroed off otherwise

 

Because cookies are data written to your browser from the server. This prefigures some potential security risks and an overall situation less then ideal. (In some cases and countries, it's even illegal for an application to require cookies to work.)

 

If you take a look at your site's statistics regarding browsers used to access pages, you might be surprised to discover that a significant share of users connect with cookies disabled. This poses a point for you as a developer.

 

Solutions

The main reason for cookieless sessions in ASP.NET is that users—for whatever reasons—may have cookies disabled on their browsers. Like it or not, this is a situation you have to face if your application requires session state. Cookieless sessions embed the session ID in the URL and obtain a two-fold result. On the one hand, they provide a way for the Web site to correctly identify the user making the request. On the other hand, though, they make the session ID clearly visible to potential hackers who can easily steal it and represent themselves as you.

 

To implement cookieless sessions you don't have to modify your programming model—a simple change in the web.config file does the trick—but refactoring your application to avoid storing valuable information in the session state is strongly recommended too. At the same time, reducing the lifetime of a session to less than the default 20 minutes can help in keeping your users and your site safe.

 

How to implement cookieless authentication in ASP.net?

 

Step 1: Adjust the web.config file.

Interestingly enough, you don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting.

<sessionState cookieless="true" />

 

<authentication mode="Forms">

<forms loginUrl="Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx"

cookieless="UseUri" enableCrossAppRedirects="true"/>

</authentication>

 

Step 2: Adjust all of the URL navigations in aspx files.

Be careful, the following code breaks the session:

<a runat="server" href="/test/page.aspx">Click</a>

 

To use absolute URLs, resort to a little trick that uses the ApplyAppPathModifier method on the HttpResponse class. The ApplyAppPathModifier method takes a string representing a URL and returns an absolute URL that embeds session information.

<a runat="server"

href=”<% =Response.ApplyAppPathModifier("page.aspx")%>” >Click</a>

 

Step 3: Adjust all of the URL navigations in aspx.cs files.

If the URL is set in the code, you need to do it in the following way:

 

this.Tab2.Url = Response.ApplyAppPathModifier("Page.aspx");

Step 4: Adjust all of the authentication method in your login page.

 

After the username and password have been verified, we need to do the following things to set the cookieless login state.

 

// Create a new ticket used for authentication

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(

1, // Ticket version

username, // Username associated with ticket

DateTime.Now, // Date/time issued

DateTime.Now.AddMinutes(10), // Date/time to expire

true, // "true" for a persistent user cookie

string.Empty, // User-data

string.Empty // Path cookie valid for

);

// Hash the ticket

string hash = FormsAuthentication.Encrypt(ticket);

//The following is the cookie way for your reference

//HttpCookie cookie = new HttpCookie(

// FormsAuthentication.FormsCookieName, // Name of auth cookie

// hash); // Hashed ticket

// Add the cookie to the list for outgoing response

//Response.Cookies.Add(cookie);

 

//The following is the cookieless way we want:

FormsAuthentication.SetAuthCookie(username, false); //this set the cookieless data. Response.Redirect(Response.ApplyAppPathModifier(Request.QueryString["ReturnUrl"]));