Authentication Tickets

A ticket is a property/value pair such as userID and the value of userID. For example, userID/joeuser is a ticket. Commerce Server uses tickets to store information about users visiting a site. A ticket can be stored in a cookie or in a URL query string.

Commerce Server supports two types of tickets:

• MSCSProfile ticket is used to identify and track anonymous/guest users who visit your site. MSCSProfile tickets are stored in persistent cookies for users who allow persistent cookies. When you configure the CS Authentication resource, you determine how long the cookie is valid, typically for several years.

  Although anonymous users do not have a ticket, in some configurations of Windows Authentication, anonymous users must get a ticket, thereby becoming guest users. If you use Autocookie mode, for example, anonymous users become guest users.

• MSCSAuth ticket is used to identify and track registered (authenticated) users. MSCSAuth tickets are stored in non-persistent cookies for users who allow cookies. If users do not allow cookies, the ticket data is stored in a URL query string. When the session ends, the cookies are deleted.

The type of ticket issued determines which resources the user can access on your Web site.

Both persistent and non-persistent cookies can be encrypted. These cookies contain the following data:

• User ID (ticket). Used for persistent and non-persistent cookies. A site developer can determine the value to use as the user ID. For example, it can be either the login name or the e-mail address of a user. For anonymous users, the user ID can be, for example, a globally unique identifier (GUID) generated by one of your ASP pages. (Commerce Server includes the GenID object, which you can use to generate GUIDs.)

• Time of last login. Used for non-persistent cookies. The "Time of last login" determines when users need to be re-authenticated. For example, users do not need to be re-authenticated if they register at your Web site, and then leave their computer without logging off (or are inactive for a period of time), and then return to their computer before the close of the Time Window. However, if users return after the close of the Time Window, then they must log in again.

• Time Window. Used for non-persistent cookies to determine how long, in minutes, the cookie is valid.

After a user logs off a site, the authentication expires. A site developer can add custom properties to both types of cookies.

See Also

Cookies and Authentication

Planning for Security

Working with Site Security and Filters

Managing the CS Authentication Resource

Commerce Server Security Checklist

Securing Your Site

All rights reserved.