MSCSProfile Tickets

Article
11/12/2009

Commerce Server uses MSCSProfile tickets to identify and track anonymous users who visit your site. MSCSProfile tickets are stored in persistent cookies for users who allow persistent cookies. If users do not allow persistent cookies, the MSCSProfile ticket is encoded in the URL.

When an MSCSProfile ticket is stored in a persistent cookie, you can determine how long the MSCSProfile ticket is valid, typically several years, by configuring the Profile Cookie Expiration Date property in the CS Authentication resource. For more information about persistent cookies, see Commerce Server Cookies.

If MSCSProfile is stored in a persistent cookie, the ticket remains on the client computer after the session is closed. The persistent cookie is not deleted, unless the user deletes the cookie.

It is recommended that you only use MSCSProfile tickets for anonymous users. Never use an MSCSProfile ticket to authenticate a user because an MSCSProfile ticket is stored in a persistent cookie. For example, consider a public kiosk scenario: if you authenticate a user using an MSCSProfile ticket, the next user in line could access the pages to which the previous user had been granted access.

Never use an MSCSProfile ticket to provide access to sensitive personal information, such as credit card or social security numbers. Use MSCSProfile tickets to provide personalization (for example, name greetings), and preferences (for example, UI language or display preferences), or to track the anonymous users browsing your site.

Ee784636.note(en-US,CS.20).gif Note

Do not use unencrypted tickets. If tickets are unencrypted, attackers can easily hijack them by synthesizing the user ID, and then they can steal the identity of legitimate users visiting your site.

MSCSProfile Tickets

See Also

Additional resources