Autocookie Mode

  • Article

Autocookie mode allows anonymous users to be tracked between pages and across sessions. A unique ID is generated to identify the user and, if required, a profile is created to store information about the user. For a code example showing these steps, seeĀ Code to Set a New MSCSProfile Ticket.

When a user sends a request to access a site, the AuthFilter ISAPI filter performs the following steps after being notified by Internet Information Services (IIS) that an SF_NOTIFY_PREPROC_HEADERS event has occurred:

  1. Checks for site configuration properties in the local site cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object and store them in the site cache.

  2. Checks whether the URL is correct, automatically correcting for case sensitivities.

  3. Checks for cookie support on the browser.

  4. If cookies are not supported, the user is redirected to the Active Server Pages (ASP) page specified in the s_NoCookie_Form ("No-Cookie form" in the Commerce Server Manager user interface) property of the CS Authentication resource. Usually this page notifies the user that cookies are required and that the user should resubmit the request once cookies are enabled. By default, an ASP page, named nocookie.asp, is supplied for this purpose. This file is located in the AuthFiles folder in the Commerce Server installation directory.

  5. If a cookie is returned, the AuthFilter checks whether it contains an MSCSProfile ticket.

  6. If the MSCSProfile ticket exists, the AuthFilter uses a valid Windows user account to impersonate the user in IIS.

  7. If the requested URL has anonymous access rights, the URL is returned.

  8. If the ticket does not exist, the user is redirected to the ASP page specified in the s_AutoCookie_Form ("AutoCookie Form" in the Commerce Server Manager user interface) property of the CS Authentication resource.

AutoCookie Page

All the preceding steps are transparent to the site developer. The following actions take place in the autocookie page, which must be supplied by the site developer:

  1. Persistent cookie support is checked, and if unavailable, the user is redirected to the no-cookie page.

  2. If persistent cookie support is enabled, a globally unique identifier (GUID) or another unique ID is created to identify the user.

  3. The unique ID is set into an MSCSProfile ticket for the user.

  4. At this point a profile can be created to store information about the anonymous user.

  5. The user is redirected to the requested URL.

A default page, autocookie.asp, showing much of this functionality is supplied with the installed product and located in the \Microsoft Commerce Server\AuthFiles folder.


All rights reserved.