MSCSAuth Tickets

Commerce Server uses MSCSAuth tickets to identify and track registered and authenticated users.

MSCSAuth tickets can be stored in session cookies, or encoded in the URL. When a session ends, the browser automatically deletes session cookies, and the user must re-authenticate when revisiting the site.

The Commerce Server method for authentication, the IsAuthenticated method, checks for the existence of the MSCSAuth ticket and ensures that the ticket is valid, and that the access time is within the time-window contained in the ticket.


  • Do not use unencrypted tickets. If tickets are unencrypted, attackers can easily hijack them by synthesizing the user ID, and then they can steal the identity of legitimate users visiting your site.

See Also

Code to Retrieve a Profile and Set an MSCSAuth Ticket

Code to Retrieve Login Credentials Using the Post Method and Set an MSCSAuth Ticket

Code to Set a Custom Property on a Ticket

MSCSProfile Tickets

Tickets for Anonymous Users Who Register

MSCSAuth and MSCSProfile Ticket Characteristics

Rolling Key Encryption for Authentication Tickets

Encrypting Cookies

Copyright © 2005 Microsoft Corporation.
All rights reserved.