anonymousIdentification Element (ASP.NET Settings Schema)
Configures anonymous identification for application authorization. This is required to identify entities that are not authenticated when authorization is required.
This element is new in the .NET Framework version 2.0.
configuration Element (General Settings Schema)
system.web Element (ASP.NET Settings Schema)
anonymousIdentification Element (ASP.NET Settings Schema)
<anonymousIdentification
enabled="[true | false]"
cookieless="[UseUri | UseCookies | AutoDetect | UseDeviceProfile]"
cookieName=""
cookiePath=""
cookieProtection="[None | Validation | Encryption | All]"
cookieRequireSSL="[true | false]"
cookieSlidingExpiration="[true | false]"
cookieTimeout="[DD.HH:MM:SS]"
domain="cookie domain"
/>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
Attribute |
Description |
---|---|
cookieless |
Specifies whether to use cookies for a Web application. The HttpCookieMode enumeration is used to specify the value for this attribute in the configuration section. It is used by all features that support cookieless authentication. When the AutoDetect value is specified, ASP.NET queries the browser or device to determine whether it supports cookies. If the browser or device supports cookies, cookies are used to persist user data; otherwise, an identifier is used in the query string. Note When you configure an AJAX-enabled ASP.NET Web site, use only the default value of UseCookies for the cookieless attribute. Settings that use cookies encoded in the URL are not supported by the ASP.NET AJAX client script libraries. This attribute can be one of the following possible values.
ValueDescription
AutoDetect Specifies that ASP.NET determines whether the requesting browser or device supports cookies. If the requesting browser or device supports cookies, AutoDetect uses cookies to persist user data; otherwise, an identifier is used in the query string. If the browser or device supports the cookies, but cookies are currently disabled, cookies are still used by the requesting feature.
UseCookies Specifies that cookies are used to persist user data, regardless of whether the browser or device supports cookies. This is the default.
UseDeviceProfile Specifies that ASP.NET determines whether to use cookies based on the HttpBrowserCapabilities setting. If the setting indicates that the browser or device supports cookies, cookies are used; otherwise, an identifier is used in the query string.
UseUri Specifies that the calling feature uses the query string to store an identifier, regardless of whether the browser or device supports cookies.
The default is "UseCookies". |
cookieName |
Specifies the name that is assigned to the cookie. The default value is ".ASPXANONYMOUS". |
cookiePath |
Specifies the path to the directory where the cookie is stored. The path is case-sensitive. The default is the root directory that is specified by "/". |
cookieProtection |
Specifies the cookie protection scheme. This attribute can be one of the following possible values.
ValueDescription
All Specifies that both the Validation and Encryption values are used to protect the information in the cookie.
Encryption Encrypts the information in the cookie.
None Specifies that the cookie information is not protected. Information in the cookie is stored in clear text and is not validated when the information is sent back to the server.
Validation Ensures that the information in the cookie has not been altered before the information is sent back to the server.
The default is "Validation". |
cookieRequireSSL |
Specifies whether the cookie requires a Secure Sockets Layer (SSL) connection when it is transmitted to the client. Because ASP.NET sets the authentication cookie property, Secure, the client does not return the cookie unless an SSL connection is in use. The default is false. |
cookieSlidingExpiration |
Required Boolean attribute. Specifies whether the cookie timeout is reset at each request or at a predefined fixed time interval. If true, the cookie timeout occurs when less than 50 percent of the Time to Live (TTL) remains. If false, the cookie times out after the cookieTimeout duration has passed. The default is true. |
cookieTimeout |
Required TimeSpan attribute. Specifies the cookie expiration time interval, in minutes. The default is 100000 minutes (69 days, 10 hours, and 40 minutes). The maximum value is 2 years. |
domain |
Specifies the cookie domain. This attribute allows the anonymous identification cookie to be shared across domains that have a common DNS namespace (for example, all sites that end in contoso.com). To share anonymous identification cookies, the sites must share common decryption and validation keys. Other anonymous identification configuration attributes, such as cookiePath and cookieName, must be the same for all the sites. For more information, see HttpCookie. The default is an empty string (""). |
enabled |
Optional Boolean attribute. Specifies whether anonymous identification is enabled. If true, a cookie (or cookieless value) is used to manage the user's anonymous identifier. The default is false. |
Child Elements
None.
Parent Elements
Element |
Description |
---|---|
configuration |
Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications. |
system.web |
Specifies the root element for the ASP.NET configuration settings in a configuration file and contains elements that configure ASP.NET Web applications and control how the applications behave. |
Remarks
The <anonymousIdentification> element configures anonymous identification for application authorization. This is required to identify entities that are not authenticated when you use the Profile feature.
You can exceed the maximum size of the URI when you send the anonymous identification ticket in the URI. If the combination of the anonymous identification ticket, forms authentication ticket, session ID, and user data is greater than the maximum permissible URI length, the request will fail with a 400-Bad Request error.
Default Configuration
The following default <anonymousIdentification> element is not explicitly configured in the Machine.config file or in the root Web.config file. However, it is the default configuration that is returned by an application.
<anonymousIdentification
enabled="false"
cookieName=".ASPXANONYMOUS"
cookieTimeout="100000"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="Validation"
cookieless="UseCookies"
domain=""
/>
Example
The following code example demonstrates how to configure a site for anonymous identification.
<configuration>
<system.web>
<anonymousIdentification
enabled="true"
cookieless="UseCookies"
cookieName=".ASPXANONYMOUS"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration = "true"
cookieProtection="Clear"
/>
</system.web>
</configuration>
Element Information
Configuration section handler |
|
Configuration member |
|
Configurable locations |
Machine.config Root-level Web.config Application-level Web.config |
Requirements |
Microsoft Internet Information Services (IIS) versions 5.0, 5.1, or 6.0 The .NET Framework version 2.0 Microsoft Visual Studio 2003 or Visual Studio 2005 |
See Also
Tasks
How to: Configure Specific Directories Using Location Settings
How to: Lock ASP.NET Configuration Settings
Reference
system.web Element (ASP.NET Settings Schema)
configuration Element (General Settings Schema)
AnonymousIdentificationSection
Concepts
ASP.NET Configuration File Hierarchy and Inheritance
Securing ASP.NET Configuration
ASP.NET Configuration Scenarios
Other Resources
General Configuration Settings (ASP.NET)
ASP.NET Configuration Settings