Forms authenticaton in and c#

mu_ravi1 used Ask the Experts™

iam facing one problem in forms authentication.

if i disable cookies in the browser
forms authentication will not work.
we had implemented forms authentication in huge in the project.
If cookies is disabled tell me the mitigation plan to work with forms authentication.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ǩa̹̼͍̓̂ͪͤͭ̓u͈̳̟͕̬ͩ͂̌͌̾̀ͪf̭̤͉̅̋͛͂̓͛̈m̩̘̱̃e͙̳͊̑̂ͦ̌ͯ̚d͋̋ͧ̑ͯ͛̉Glanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015

Is this what you are after?
In your web.config file, in your sessionState tag, set the attribute
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Cookieless forms authentication
Why, when?

They say, its not possible. Well it is, and relatively easy to accomplish!

Lot of companies and people want to exclude cookie usage from their lives. Partly because its said to be insecure, partly because they see no reason to use it.

In my case, it was mandatory not to use cookies, but make a forms login page. Of course I've started with the normal forms authentication, cause I believed, that the big brother couldn't make such a mistake, to use cookies.

They did. After searching all the forums how to skip cookie usage, all I've found was this:
The hard way

If you pass the encoded cookie as a GET parameter to the Response.Redirect() function, the system will work as normal: the user will be signed in until the parser can find the cookie as a GET parameter, or a cookie is not easy, and makes no sense at all.

The code snippet to accomplish the "get" way of cookieless authentication is:

FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;

//create a valid ticket for forms authentication

tkt = new FormsAuthenticationTicket(1, userName, DateTime.Now,
DateTime.Now.AddMinutes(30), false, "your custom data");

//get the string representation of the ticket

cookiestr = FormsAuthentication.Encrypt(tkt);

//redirect to the return URL using the cookie in the address field

//In the web.config, we called out auth. ASPXFORMSAUTH2, so set that value

string strRedirect = Request["ReturnUrl"] + "?.ASPXFORMSAUTH2=" + cookiestr;
Response.Redirect(strRedirect, true);

This is useless, I tell you. Completely unpleasant, and insecure (you have to change all the links, which of course you won't)
And here is the way, you can do it:
The configuration

No authentication tag needed beside the "none". The next line in the web.config will tell the framework not to store the session ID in a cookie, but add as a special directory to the address field.

<sessionState cookieless="true" timeout="20" />

After adding this line, the address field will always look like:


As you can see, on each request, the session ID is passed as a directory. Very smart solution from MS! When you want to create a link with get parameters to another page, you have to pay attention to it, since calling an aspx without the session ID in the address will create a new session. So, to create a link, that has GET parameters, do this:

string url =
// we build the whole link. Firstly, we get our host name

 "http://" + Request.Headers["Host"] + "/" +
// then the path of the request, and append the session ID, as shown above

 Request.ApplicationPath +
 "/(" + Session.SessionID +
// simply add the target page with the HTTP-GET parameters.

 "State", state.ToString(),
 "Lang", langID.ToString()

(OK, I needed it. Usually people don't care about GET parameters, so probably you won't need it.)
The coding part

In global.asax.cs, add:

private void InitializeComponent()
{  // This tells the global to catch all session initialization events,

   // So before every page load, we will have the Global_Acq. called! Good starting!

   this.AcquireRequestState += new


void Global_AcquireRequestState(object sender, System.EventArgs e)
      //This tells the global to check whether code "Name-John" is in the session

      //variable, called "Authenticated". To say it simple,

      //checks, whether someone set this


      if((string)Session["Authenticated"] != "Name-John")
      // If yes, do nothing, so the requested page will load.

            // If it's not set yet, redirect to the login page,

            // if the caller is not the login page already. If it is, we don't

            //want loops, so let is load


If the user entered valid codes (check them however you like), in login.apsx.cs, set the session variable Authenticated to code Name-John, so the global will let the users download pages.

Session["Authenticated"] = "Name-John";
//the auth is successfull, so send the user to the page

Response.Redirect("default.aspx", true);

As you see, this is a pure redirect function. No ASP.NET forms authentication is used. On the default.aspx, place whatever you want. Those controls will be in safety. If you want to sign out the user, call this code:

//signs out

//redirects to itself. This will redirect to login.aspx, cos we are signed out


Misc good to knows

After clicking the sign-out, the user will be back on login.aspx. If he presses back, he can see the page from his browser's cache, but cannot click anything. It could be wise to set the cache expiration.

If you press [Back], then [Refresh], the explorer will asks for "The page cannot be refreshed without resending the information", and prompts for "Retry/Cancel".

Usually, when someone presses retry, the password is sent again, and the user is signed in again. Well, not in our case

You can try, that this method really doesn't use cookies: in Internet Explorer, go Tools / Internet Options. Go Privacy, and block all cookies, then try to sign in'n'out.




I will try this and let u know on this.



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial