Windows Authentication with Autocookie Mode
This topic describes the mixed authentication mode of Windows Authentication with Autocookie. This mode accepts both anonymous and registered users and allows tracking of both types. This mode is useful for sites where part of the content is available to everyone and the rest is available only to registered users.
The primary differences between this mixed mode and Windows Authentication mode are as follows:
The mixed mode allows tracking of anonymous users.
In mixed mode, an anonymous user must have a valid MSCSProfile ticket to access any URLs regardless of the access control list (ACL) settings. In Windows Authentication mode, an anonymous user does not need a ticket and can access any URL with anonymous access rights.
For more information about Window Authentication mode, see Window Authentication Mode. For more information about Autocookie mode, see Autocookie Mode.
Anonymous Users Who Register
A user who visits a site anonymously receives an MSCSProfile ticket. If the user decides to register, they receive an MSCSAuth ticket. The user now has two cookies in the HTTP header containing different tickets. The order of the tickets is unknown and can vary between requests. The AuthFilter is aware of this and automatically searches all cookies for an MSCSAuth ticket before searching for an MSCSProfile ticket.
Both cookies get logged in the Web log file in the order they appear in the HTTP request header. The Web server log import DTS task imports the first cookie it finds. The one user can appear to be two users to the DTS task if it finds hits in the log file with the cookies in different orders. This compromises the ability to track the user and may produce erroneous visit and user calculations.
The solution is to map the user IDs from both the MSCSAuth ticket and the MSCSProfile ticket to the same user ID. Then set the MSCSProfile ticket to an empty string, which causes the MSCSProfile ticket to be deleted.