Cookieless sessions and forms authentication in MVC3 RSS

• • Reply
  

  Tony Leeper

  Member

  6 Points

  3 Posts

  Cookieless sessions and forms authentication in MVC3

  Sep 28, 2011 09:36 PM|LINK

  bradwils

  As Levi stated above, cookieless sessions are not supported in ASP.NET MVC (only in WebForms), and it's likely that we will never support cookieless sessions in MVC.

  @bradwils: Is this really true?  It's also broken for Forms Authentication.

  I have a requirement from a client that we don't use cookies for both session and authentication as their browser policy doesn't allow them.  This bug with the Html.BeginForm() helper method is the first problem I've encountered.  What other issues will I have using cookieless session and forms authentication in MVC3?  It all appears to be working at the moment (both session and authentication) by avoiding the default overload and using instead e.g.:

  @using (Html.BeginForm("Login", "Authentication", new { ReturnUrl = Request["ReturnUrl"] }, FormMethod.Post))

  My web.config is e.g.

      <authentication mode="Forms">
        <forms defaultUrl="~/" loginUrl="~/Authentication/Login" timeout="2880" cookieless="UseUri" />
      </authentication>
  
      <sessionState cookieless="UseUri"></sessionState>

  By the way, it looks like it's a problem here:

  // System.Web.Mvc.Html.FormExtensions
  public static MvcForm BeginForm(this HtmlHelper htmlHelper)
  {
      string rawUrl = htmlHelper.ViewContext.HttpContext.Request.RawUrl;
      return htmlHelper.FormHelper(rawUrl, FormMethod.Post, new RouteValueDictionary());
  }

  
  I think you could change that line to:

  string rawUrl = Html.ViewContext.HttpContext.Response.ApplyAppPathModifier(Html.ViewContext.HttpContext.Request.RawUrl);

  Regards,

  Tony

  • Edited by Tony Leeper on Sep 28, 2011 09:41 PM
  • Edited by Tony Leeper on Sep 28, 2011 09:51 PM
  • Edited by Tony Leeper on Sep 28, 2011 09:53 PM
  • Edited by Tony Leeper on Sep 28, 2011 09:54 PM
  • Edited by Tony Leeper on Sep 28, 2011 09:54 PM
  • Edited by ignatandrei on Sep 28, 2011 10:32 PM
  • Split by ignatandrei on Sep 28, 2011 10:32 PM
  • Edited by Tony Leeper on Sep 29, 2011 12:38 PM
• • Reply
  

  ignatandrei

  All-Star

  134491 Points

  21566 Posts

  Moderator

  MVP

  Re: Cookieless sessions and forms authentication in MVC3

  Sep 28, 2011 10:33 PM|LINK

  Tony Leeper

  I have a requirement from a client that we don't use cookies for both session and authentication as their browser policy doesn't allow them

  
  Then use WebForms. But I doubt the client want to use QueryString session as they are more secure ....

  My .NET blog : http://msprogrammer.serviciipeweb.ro/ |2012 Programmer tools
  • Edited by ignatandrei on Sep 29, 2011 12:38 PM
  • Marked as answer by ricka6 on Jun 20, 2012 09:38 PM
• • Reply
  

  Tony Leeper

  Member

  6 Points

  3 Posts

  Re: Cookieless sessions and forms authentication in MVC3

  Sep 29, 2011 12:41 PM|LINK

  That seems a little drastic to change frameworks to one that isn't testable just so I can use cookieless sessions and authentication doesn't it?  I'm a big fan of the MVC framework especially the latest MVC3 release.  Given that it appears to work by avoiding the html.beginform() default overload, I am interested to know in what other ways it isn't supported in MVC, i.e. what other problems am I likely to encounter?

  Ps. I am aware of how unsecure uri re-writing is! however what other options are there if cookies are disabled in the browser?

  • Edited by Tony Leeper on Sep 29, 2011 12:43 PM
• • Reply
  

  ignatandrei

  All-Star

  134491 Points

  21566 Posts

  Moderator

  MVP

  Re: Cookieless sessions and forms authentication in MVC3

  Sep 29, 2011 12:50 PM|LINK

  Tony Leeper

  That seems a little drastic to change frameworks to one that isn't testable just so I can use cookieless sessions and authentication doesn't it?

  Yes. However, you can not do much about it. The MVC is designed from the beginning to NOT support cookieless. I understand the motivation( the routes get's over complicated ).

  But, if you want to try, the MVC source is free on codeplex. Give it a try ;-)

  My .NET blog : http://msprogrammer.serviciipeweb.ro/ |2012 Programmer tools
  • Marked as answer by ricka6 on Jun 20, 2012 09:39 PM
• • Reply
  

  Tony Leeper

  Member

  6 Points

  3 Posts

  Re: Cookieless sessions and forms authentication in MVC3

  Sep 29, 2011 03:36 PM|LINK

  ignatandrei

  The MVC is designed from the beginning to NOT support cookieless

  Is there any plan to suport this in future?  The fact is that browsers still have the option to disable cookies so is something which needs to be supported.  If browser manufacturers changed the option to only allow persistent cookies to be disabled it would eliminate these sorts of headaches, but unfortunately at the moment persistent and non-persistent cookies are disabled together :(

  • Edited by Tony Leeper on Oct 01, 2011 05:20 PM
• • Reply
  

  ricka6

  All-Star

  15070 Points

  2272 Posts

  Microsoft

  Moderator

  Re: Cookieless sessions and forms authentication in MVC3

  Jun 20, 2012 09:40 PM|LINK

  Tony Leeper

  Is there any plan to suport this in future? 

  No

  Rick -ASP.Net UE @RickAndMSFT Rick on MVC, WebAPI and Azure  
  • Marked as answer by ricka6 on Jun 20, 2012 09:40 PM