How to: Customize the Authentication Cookie from the WCF Authentication Service

This topic shows how to customize the authentication cookie (ticket) for the ASP.NET authentication service when it is used as a Windows Communication Foundation (WCF) service. You customize the authentication cookie when you want to store user-specific data in the cookie during authentication.


In general, storing user-specific data in ASP.NET profile properties is a better option than storing data in the cookie. Profile property data is not bound to one computer or limited to the lifetime of the cookie. In addition, you can store the user data more securely in profile properties. Customizing the content of the cookie is useful if you have a small amount of non-sensitive data and do not want to use the ASP.NET profile feature.

The authentication service raises the CreatingCookie event after the user credentials have been validated and before the authentication cookie has been set. You can customize the cookie by creating an event handler for CreatingCookie and managing the authentication cookie yourself. You can access the user name, password, and custom credentials through the CreatingCookieEventArgs object that is passed to the event handler.

You use the WCF implementation of the authentication service when you want to log a user in from a client application that can send and consume a SOAP 1.1 message, such as a Java application.

  1. In the Global.asax file of the Web application, create an event handler for the CreatingCookie event.

  2. In the handler, add information to the cookie's CustomCredential property.

    The following example shows how to customize the authentication cookie by adding the value of the CustomCredential property to the UserData property.

    Sub AuthenticationService_CreatingCookie(ByVal sender As Object, _
                     ByVal e As System.Web.ApplicationServices.CreatingCookieEventArgs)
        Dim ticket As FormsAuthenticationTicket = New _
           FormsAuthenticationTicket _
            (1, _
             e.Username, _
             DateTime.Now, _
             DateTime.Now.AddMinutes(30), _
             e.IsPersistent, _
             e.CustomCredential, _
        Dim encryptedTicket As String = FormsAuthentication.Encrypt(ticket)
        Dim cookie As HttpCookie = New _
            HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
        cookie.Expires = DateTime.Now.AddMinutes(30)
        e.CookieIsSet = True
    End Sub
    void AuthenticationService_CreatingCookie(object sender, 
        System.Web.ApplicationServices.CreatingCookieEventArgs e)
        FormsAuthenticationTicket ticket = new
        string encryptedTicket =
        HttpCookie cookie = new HttpCookie
        cookie.Expires = DateTime.Now.AddMinutes(30);
        e.CookieIsSet = true;
  3. In the Application_Start method of the Global.asax file, bind the event handler for the CreatingCookie event.

    The following example shows how to bind a handler to the CreatingCookie event.

    Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
        AddHandler System.Web.ApplicationServices.AuthenticationService.CreatingCookie, _
            AddressOf Me.AuthenticationService_CreatingCookie
    End Sub
    void Application_Start(object sender, EventArgs e)
            += new EventHandler<System.Web.ApplicationServices.CreatingCookieEventArgs>
  4. Call the authentication service from an application that can consume a SOAP message from a Web service.

Compiling the Code

You must set up the authentication service on a Web server for the previous examples to work. For more information, see How to: Enable the WCF Authentication Service.


If you are passing sensitive user data such as authentication credentials, always access the authentication service over the secure sockets layer (SSL, by using HTTPS protocol). For information about how to set up SSL, see Configuring Secure Sockets Layer (IIS 6.0 Operations Guide).

See Also





Windows Communication Foundation Authentication Service Overview