Does Forms Authentication require cookies?

[Peter Rilling]

I am creating a website that uses Forms Authentication. From what I have
read, FA uses cookies to store the authentication ticket once logged in. My
customer would also like this site to not require cookies. Does FA require
the use of cookies or can I use some other mechanism when I set the system
to use cookieless sessions?

 

[Winista]

in web.config you set cookieless attribute to "true"/

 

[Richard]

You could use a session variable instead? Redirect the user to the log
on page when the variable is not set. On valid logon set the sesssion
varriable.

When you pages load just check for the variable, rather than cookies.

 

[Stephen Barrett]

The direct answer to your question is if you want to use the FA built in
system, then a cookie is required. As others have mentioned you can work
around it by using a session variable, but that isn't really using FA.

You would have to make sure all your pages inherit from a base class to
where you can check your session var, or put code in each page (yuck), or
write your own http handler to that could do the check. Of course, none of
these methods are using FA.

 

[Brock Allen]

Sessions use cookies as well to track the user, so this still doesn't meet
the requirement.

ASP.NET 2.0 supports cookieless FormsAuthentication, and in fact it can AutoDetect
user-by-user if they have disabled cookies.