ASP.NET 1.0 introduced the Forms Authentication feature to allow developers to easily author ASP.NET applications that rely on an authentication mechanism they could control. Forms Authentication exposed a set of APIs that developers can simply call to authenticate the user , such as: FormsAuthentication.RedirectFromLoginPage(Username.Text, False) Forms Authentication in ASP.NET 1.0 would the take the username, encrypt it, and store it within an HTTP cookie. The cookie would be presented on subsequent requests and the user automatically reauthenticated. One of the common feature requests the ASP.NET team continually received was the ability for Forms Authentication to support cookieless authentication, that is, to not require an HTTP cookie. This is just what they've done in ASP.NET 2.0. Enabling Cookieless Forms AuthenticationCookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute (see Listing 6.20). Listing 6.20 Configuring Cookieless Forms Authentication<configuration> <system.web> <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" /> </authentication> </system.web> </configuration> The cookieless attribute has four possible values: [20]
If we set the cookieless value to UseUri within web.config and request and authenticate with Forms Authentication, we should see something similar to what Figure 6.14 shows within the URL of the requested page. Figure 6.14. Cookieless Forms Authentication
Below is the requested URLafter authenticationin a more readable form: [View full width]
|