Using AJAX with ASP.NET while using Cookieless forms authentication

1 minute read

AJAX gives us ASP.NET developers a great deal of tools and improvements with usability and creating a richer user experience. Just recently, I was working on converting a web application that heavily relies on AJAX. The application is a dashboard for our product with many widgets and controls. So we were doing two things really, first we wanted to persist session state to a database so requests could come in to our load balancer and be distributed to any IIS server. This gives us a great deal of scalability and resiliency. First off I should mention we are using IIS 8 and ASP.NET 4.5 and we are using the AJAX Toolkit.

Secondly, part of the dashboard is a marketing component. We work with a marketing provider who frequently logs into these dashboard accounts and provides email marketing for our clients. Often times they wanted to be logged into two different accounts at the same time. This was not possible due to the fact that our forms authentication is cookie based. Low and behold, cookieless becomes a requirement. Cookieless forms authentication makes it so once you login, your URL has a random cookie string appended so when the request hits the server it knows that it is authenticated. You can find more details about Cookieless here: Understand How the ASP.NET Cookieless Feature Works.

The problem, when you are using a ScriptManager with combining scripts, there will be a request that goes against your primary page instead of ScriptResource.axd and since you use forms authentication, that primary page will require a login and it will fail to return the combined scripts since the cookie is not put into the URL of the request. A way to work around this is just set your ScriptManager to not combine scripts so all requests will go through ScriptResource.axd. Unfortunately, this is less efficient as more requests will occur, however it will not require a login by the ScriptResource.axd.