Windows Identity Foundation (WIF) Configuration – Part II (, , )

The information in this post is based on Windows Identity Foundation Config.xml file that ships with WIF SDK.


<cookieHandler> controls the CookieHandler, which is responsible for reading and writing raw cookies at the HTTP protocol level.

SessionAuthenticationModule uses the cookieHandler to read and write cookies.


  • Default (default). The same as Chunked.
  • Chunked. Uses an instance of the ChunkedCookieHandler class. This cookie handler ensures that individual cookies do not exceed a set maximum size. It accomplishes that by potentially "chunking" one logical cookie into a number of on-the-wire cookies.
  • Custom. Uses an instance of a custom CookieHandler-derived class, referenced by the <customCookieHandler> element.


  • domain. String, default is "" .  The domain value for any cookies written.
  • hideFromScript. Boolean, default is true. Controls whether the "HttpOnly" flag is emitted for any cookies written. Certain web browsers honor this flag by keeping client-side script from accessing the cookie value.
  • name. String, default "FedAuth" . Controls the base name for any cookies written.
  • path. String, default is HttpRuntime.AppDomainAppVirtualPath. Controls the path value for any cookies written.
  • requireSsl. Boolean, default is false. Controls whether the "Secure" flag is emitted for any cookies written. If this value is set, the sign-in session cookies will only be available over HTTPS.
  • persistentSessionLifetime. The lifetime of persistent sessions in days. If Zero, transient sessions are always used. Tickets for persistent sessions are stored in file-based cookies, meaning that the sign-in session may continue after the web browser is closed and reopened. The default value is null.


         <cookieHandler mode="Custom"








<chunkedCookieHandler> may only be present if the cookieHandler/@mode   is Default or Chunked. It controls the ChunkedCookieHandler.


  • chunkSize. Int32, default is 2000. The maximum size in characters of the HTTP cookie data for any one HTTP cookie. Care must be taken when adjusting the chunk size. Web browsers have different limits on the size of cookies and number per domain. The original Netscape specification stipulated these limits: 300 cookies total, 4096 bytes per cookie header (including  metadata, not just the cookie value), and 20 cookies per domain.


 <chunkedCookieHandler chunkSize="2000" />


<customCookieHandler> may only be present if the cookieManager/@mode is Custom. It references a custom type which must be derived from CookieHandler. See the comments before the <configuration> element on custom type references.


 <customCookieHandler type="MyNamespace.CustomCookieHandler, MyAssembly" />