Share via


anonymousIdentification Element (ASP.NET Settings Schema)

Configures anonymous identification for application authorization. This is required to identify entities that are not authenticated when authorization is required.

This element is new in the .NET Framework version 2.0.

<anonymousIdentification  
   enabled="[true | false]"
   cookieless="[UseUri | UseCookies | AutoDetect | UseDeviceProfile]"
   cookieName=""
   cookiePath=""
   cookieProtection="[None | Validation | Encryption | All]"
   cookieRequireSSL="[true | false]"
   cookieSlidingExpiration="[true | false]"
   cookieTimeout="[DD.HH:MM:SS]"
   domain="cookie domain"
/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description

cookieless

Specifies whether to use cookies for a Web application. The HttpCookieMode enumeration is used to specify the value for this attribute in the configuration section. It is used by all features that support cookieless authentication. When the AutoDetect value is specified, ASP.NET queries the browser or device to determine whether it supports cookies. If the browser or device supports cookies, cookies are used to persist user data; otherwise, an identifier is used in the query string.

This attribute can be one of the following possible values.

Value Description

AutoDetect

Specifies that ASP.NET determines whether the requesting browser or device supports cookies. If the requesting browser or device supports cookies, AutoDetect uses cookies to persist user data; otherwise, an identifier is used in the query string. If the browser or device supports the cookies, but cookies are currently disabled, cookies are still used by the requesting feature.

UseCookies

Specifies that cookies are used to persist user data, regardless of whether the browser or device supports cookies. This is the default.

UseDeviceProfile

Specifies that ASP.NET determines whether to use cookies based on the HttpBrowserCapabilities setting. If the setting indicates that the browser or device supports cookies, cookies are used; otherwise, an identifier is used in the query string.

UseUri

Specifies that the calling feature uses the query string to store an identifier, regardless of whether the browser or device supports cookies.

The default is "UseCookies".

cookieName

Specifies the name that is assigned to the cookie.

The default value is ".ASPXANONYMOUS".

cookiePath

Specifies the path to the directory where the cookie is stored. The path is case-sensitive.

The default is the root directory that is specified by "/".

cookieProtection

Specifies the cookie protection scheme.

This attribute can be one of the following possible values.

Value Description

All

Specifies that both the Validation and Encryption values are used to protect the information in the cookie.

Encryption

Encrypts the information in the cookie.

None

Specifies that the cookie information is not protected. Information in the cookie is stored in clear text and is not validated when the information is sent back to the server.

Validation

Ensures that the information in the cookie has not been altered before the information is sent back to the server.

The default is "Validation".

cookieRequireSSL

Specifies whether the cookie requires a Secure Sockets Layer (SSL) connection when it is transmitted to the client. Because ASP.NET sets the authentication cookie property, Secure, the client does not return the cookie unless an SSL connection is in use.

The default is false.

cookieSlidingExpiration

Required Boolean attribute.

Specifies whether the cookie timeout is reset at each request or at a predefined fixed time interval. If true, the cookie timeout occurs when less than 50 percent of the Time to Live (TTL) remains. If false, the cookie times out after the cookieTimeout duration has passed.

The default is true.

cookieTimeout

Required TimeSpan attribute.

Specifies the cookie expiration time interval, in minutes.

The default is 100000 minutes (69 days, 10 hours, and 40 minutes).

The maximum value is 2 years.

domain

Specifies the cookie domain. This attribute allows the anonymous identification cookie to be shared across domains that have a common DNS namespace (for example, all sites that end in contoso.com). To share anonymous identification cookies, the sites must share common decryption and validation keys. Other anonymous identification configuration attributes, such as cookiePath and cookieName, must be the same for all the sites. For more information, see HttpCookie.

The default is an empty string ("").

enabled

Optional Boolean attribute.

Specifies whether anonymous identification is enabled. If true, a cookie (or cookieless value) is used to manage the user's anonymous identifier.

The default is false.

Child Elements

None.

Parent Elements

Element Description

configuration

Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications.

system.web

Specifies the root element for the ASP.NET configuration settings in a configuration file and contains elements that configure ASP.NET Web applications and control how the applications behave.

Remarks

The <anonymousIdentification> element configures anonymous identification for application authorization. This is required to identify entities that are not authenticated when you use the Profile feature.

You can exceed the maximum size of the URI when you send the anonymous identification ticket in the URI. If the combination of the anonymous identification ticket, forms authentication ticket, session ID, and user data is greater than the maximum permissible URI length, the request will fail with a 400-Bad Request error.

Default Configuration

The following default <anonymousIdentification> element is not explicitly configured in the Machine.config file or in the root Web.config file. However, it is the default configuration that is returned by an application.

<anonymousIdentification 
   enabled="false" 
   cookieName=".ASPXANONYMOUS" 
   cookieTimeout="100000"    
   cookiePath="/" 
   cookieRequireSSL="false" 
   cookieSlidingExpiration="true" 
   cookieProtection="Validation"    
   cookieless="UseCookies" 
   domain="" 
/>

Example

The following code example demonstrates how to configure a site for anonymous identification.

<configuration>
    <system.web>
      <anonymousIdentification 
        enabled="true"
        cookieless="UseCookies"
        cookieName=".ASPXANONYMOUS
        cookieTimeout="30"
        cookiePath="/"
        cookieRequireSSL="false"
        cookieSlidingExpiration = "true"
        cookieProtection="Clear"
      />
    </system.web>
</configuration>

Element Information

Configuration section handler

AnonymousIdentificationSection

Configuration member

AnonymousIdentification

Configurable locations

Machine.config

Root-level Web.config

Application-level Web.config

Requirements

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, or 6.0

The .NET Framework version 2.0

Microsoft Visual Studio 2003 or Visual Studio 2005

See Also

Tasks

How to: Configure Specific Directories Using Location Settings
How to: Lock ASP.NET Configuration Settings

Reference

system.web Element (ASP.NET Settings Schema)
configuration Element (General Settings Schema)
System.Configuration
System.Web.Configuration
AnonymousIdentificationSection
AnonymousIdentification

Concepts

Securing Profile Properties
ASP.NET Configuration File Hierarchy and Inheritance
Securing ASP.NET Configuration
ASP.NET Configuration Scenarios

Other Resources

General Configuration Settings (ASP.NET)
ASP.NET Configuration Settings
Configuring ASP.NET Applications
ASP.NET Configuration API