Commerce Server uses MSCSAuth tickets to identify and track registered and authenticated users.
MSCSAuth tickets can be stored in session cookies, or encoded in the URL. When a session ends, the browser automatically deletes session cookies, and the user must re-authenticate when revisiting the site.
The Commerce Server method for authentication, the IsAuthenticated method, checks for the existence of the MSCSAuth ticket and ensures that the ticket is valid, and that the access time is within the time-window contained in the ticket.
- Do not use unencrypted tickets. If tickets are unencrypted, attackers can easily hijack them by synthesizing the user ID, and then they can steal the identity of legitimate users visiting your site.