Tickets for Anonymous Users Who Register

A user who visits a site anonymously receives an MSCSProfile ticket. When an anonymous user registers on your site, he receives an MSCSAuth ticket. The user now has two tickets: an MSCSProfile ticket and an MSCSAuth ticket, both of which are contained in the HTTP header. The order of the tickets, in the HTTP header, is unknown and can vary between requests. AuthFilter is aware of this and automatically searches all cookies for both an MSCSProfile and MSCSAuth ticket.

Two Tickets in the Web Log File

Both cookies are logged in the Web log file in the order they appear in the HTTP request header. The Web server log import DTS task imports the first cookie it finds. The one user can appear to be two users to the DTS task if it finds hits in the log file with the cookies in different orders. This compromises the ability to track the user and may produce erroneous visit and user calculations. If both tickets exist for a particular log entry, the DTS task will use the MSCSProfile ticket.

To work around the problem described above, you can do the following:

  1. Map the user IDs from both the MSCSAuth ticket and the MSCSProfile ticket to the same user ID.
  2. During authentication, verify that the user ID in the MSCSProfile ticket matches the user ID in the MSCSAuth ticket. If the user IDs do not match, you should update the user ID in the MSCSProfile ticket.

See Also

Windows Authentication with Autocookie Mode

Custom Authentication with Autocookie Mode

Autocookie Mode

Rolling Key Encryption for Authentication Tickets

CS Authentication Resource

Commerce Server Cookies

Importing Cookies

Running the Web Server Log Import DTS Task

Copyright © 2005 Microsoft Corporation.
All rights reserved.