User Management Http Module

The User Management Http Module is used to control the management of cookies for that store information about a web site user. Any data in the cookies is encrypted using the encryption configuration specified in the encryptionKeys section. In order to deal with cookie tampering if the information in the auth cookie does not match with what is in the user cookie, then the user will be automatically be logged out and the user cookie deleted. To offer the best amount of user security possible it is recommended that the registered user cookie only ever been sent over SSL.

For anonymous users the Id on the user object will always be null, their id must be retrieved from the AnonymousId property instead. The main reason the id for an anonymous user and authenticated user is stored in two separate properties is to allow for scenarios such as merging an anonymous basket into an authenticated basket, in a case like this you need to know both user ids.

<userSecurityManagement>
  <registeredUser cookieName="__CLRegisteredUser" secureEncryptionKeyName="CookieSecure" nonSecureCookieName="__CLRegisteredUserHttp" nonSecureEncryptionKeyName="CookieNonSecure" rememberMeCookieName="__CLRememberMe" sslMode="Mixed" />
  <anonymousUser cookieName="__CLAnonymousUser" />
</userSecurityManagement>

<encryptionKeys>
  <encryptionKey name="CookieSecure" encryptionProviderType="AesEncryptionProvider">
	<key name="public" value="myPublicKey"/>
  </encryptionKey>
  <encryptionKey name="CookieNonSecure" encryptionProviderType="AesEncryptionProvider">
	<key name="public" value="myPublicKey"/>
  </encryptionKey>
</encryptionKeys>

Last edited Dec 12, 2012 at 4:56 PM by cmcauliffe, version 7

Comments

No comments yet.