How to get Cookieless FormsAuthentication to work with self-issued FormsAuthenticationTickets and custom UserData
Short answer: You can't.
I have an application that issues FormsAuthTickets like this...
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new
userName, // user name
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket);
...that was written in .NET 1.1. (FYI - It could have just as easily been written in .NET 2.0, there's nothing special here, but I want to write this code to support (be run under) both 1.1 and 2.0.)
The built-in ASP.NET helper functions SetAuthCookie and GetAuthCookie have been expanded to handle Cookieless formsauth in .NET 2.0. So, if I used have used these methods in 1.1 I'd get the new funcitonality when my app was run under 2.0. However, I wanted to include UserData - extra encrypted context stuff - in my FormsAuthenticatonTicket, so the only choice was to issue the cookie myself.
For many of us, the promise of a cookieless Session AND cookieless FormsAuthentication is very exciting:
If you issue your own cookie like I do, adding it to Response.Cookies yourself as I do, your ASP.NET application won't get cookieless FormsAuthentication.
The problem is, System.Web.Security.FormsAuthentication.SetAuthCookie(String, Boolean) doesn’t allow the setting of UserData. (only String.Empty is passed in on creation of the ticket)
To be clear – if I could use SetAuthCookie and GetAuthCookie (the public static interfaces) I'd have been fine and received the new functionality. However, the UserData support is where this important scenario falls down. I thought I could roll this myself, but all the classes I need are very internal and more than a little icky.
A Microsoft ASP.NET insider said:
There isn't an API that allows the use of UserData with cookieless tickets. Unfortunately UserData was [not included] in the cookieless forms auth implementation.
Conclusion: If you want cookieless FormsAuthentication you must use SetAuthCookie. Full stop. Until then I will find somewhere else to store my UserData.