Forms authentication and cookies

[hafa]

I'm currently using session variables as the primary method of authentication throughout a number of asp applications. This method is problematic due to the memory-intensive nature of session variables and the lack of control over timeouts.

Are cookies the only other method for authentication? I'd really prefer a method which would span both .asp and .aspx (.net) pages, as mixed environments are becoming the norm. If cookies are used, what are some of the pitfalls to avoid?

For reference, here's the procedure currently used:

1. Query the database with user log/pass
2. If username and password match, set a session variable
3. Go on about our business

Any suggestions/links are appreciated...

 

[liming]

asp.net forms authentication uses cookie. However you have the option to make it cookieless and asp.net would route a series of string into the url string to keep track.

I've tried to used it, but encountered some issues with it when it comes to referecencing images and what not in the .aspx page. I might be doing it wrong and I didn't have the time to find out. If you are brave, you might wanne give it a try. cookieless option can be set in the web.config file.

One pitfall is if your client is a gov agency, lots of them disable cookies, it's just their policies and I've worked at many agencies that do that, same goes for anyone who disables cookie (but I really really don't think there are many people that do that)

For now, we went with forms authenticaiton in asp.net using cookie, no problem so far

Hope that helps.

 

[hafa]

Thanks for the post, liming. Looks like it's coolies for me!