Anonymous Identification

Anonymous identification is another new feature in ASP.NET 2.0. The goal of the feature is to provide a unique identification to users that are not authenticated. The feature is not tied in any way to security but is rather a simple mechanism to assign a guaranteed unique ID to anonymous users. After authentication, the anonymous ID is removed from the request.

Anonymous identification is not enabled by default. To enable it you must either add an entry to your web.config file or modify machine.config . Below is a web.config that enables the anonymous identification feature:

 <configuration>   <system.web>     <anonymousIdentification enabled="true" />   </system.web> </configuration> 

Enabling the feature is simple. There are, however, several other attributes that can be set, as shown in Listing 7.8.

Listing 7.8 Configuring Anonymous Identification

 configuration>   <system.web>     <anonymousIdentification         enabled="true"         cookieName=".ASPXANONYMOUS"         cookieTimeout="100000"         cookiePath="/"         cookieRequireSSL="false"         cookieSlidingExpiration="true"         cookieProtection="None"         cookieless="UseCookies"     />   </system.web> </configuration> 

As you can see, there is a Boolean -enabled attribute used to enable the feature. When enabled, anonymous identification will use a cookie to store the anonymous ID. If you do not wish to use a cookie or do not know if the end user browser supports cookies, you can also set one of the following values for cookieless :

• UseUri : Store the anonymous ID within the address of the application. (This is similar to what is done in ASP.NET 1.0 with cookieless Session support.)

• AutoDetect : Automatically detect whether cookies are supported or not. When cookies are supported, use them. If not, store the anonymous ID in the URL.

• UseDeviceProfile : Use the configured profile for the device making the request.

However, UseCookies (shown in the listing above) is the recommended choice. This option is less intrusive , that is, the ID is not embedded in the URL, and nearly all users accept cookies. When using the AutoDetect option, keep in mind that ASP.NET will need to test the incoming request to see whether cookies are supported.

Once anonymous identification is enabled, unauthenticated requests are assigned an anonymous ID. This is different than the Session ID. The Session ID is a relatively small identifier and is guaranteed to be unique only for the duration of the session; the anonymous ID value is a GUID and is guaranteed to be globally unique.

The anonymous ID is accessed through the new Request.Anonymous Id property. Although the anonymous ID is a GUID, the ASP.NET team decided to make the return value type string more users are familiar with working with string than GUIDs.

Anonymous Identification Events

Two events are raised by anonymous identification.

1. AnonymousIdentification_OnCreate : Raised when the anonymous ID is created. The EventArgs of the event delegate must be of type AnonymousIdentificationEventArgs . AnonymousIdentification EventArgs exposes an AnonymousId property that can be set. If you desire to change the auto-generated anonymous ID, you must change the value within this event.

2. AnonymousIdentification_OnRemove : Raised when the request is authenticated but an anonymous ID is still present. This event allows you to perform any cleanup with the anonymous ID before it is removed. Once a request is authenticated, the anonymous ID is no longer available.

As we'll see shortly, the AnonymousIdentification_OnRemove event is important since we use it in conjunction with Personalization to allow for the migration of anonymous personalization data.