2

Is there an easy way to read the cookieName from the web.config for the anonymousIdentification section while working in Medium Trust?

What I'm trying to do is prevent the creation of thousands of Anonymous users because either:

  1. people have cookies turned off, or
  2. the visitor is a spider/bot without cookie capabilities.

How I'm attempting to accomplish this is by checking for the presence of either the Forms Authentication or Anonymous Identification cookies in Application_BeginRequest. If there is no cookie, I set a flag that will prevent the saving of anything to the database.

But in order to do that I must know the names of the cookies. For that, I attempted to do this:

AuthCookieName = FormsAuthentication.FormsCookieName;
var anonSection = (AnonymousIdentificationSection)WebConfigurationManager.GetSection("system.web/anonymousIdentification");
if (anonSection != null)
    AnonCookieName = anonSection.CookieName;

While the auth cookie name is retrieved without any problems, the WebConfigurationManager throws the security exception: System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.

I know this is a trust issue because when I give High or Full Trust the exception goes away. However, it is important this works in Medium Trust, and I cannot modify the machine.config.

Is there a way to set requirePermission="false" at the web.config level of my application for the anonymousIdentification section?

Am I going to have to load the web.config in an XML document and parse it out manually?

Other ideas?

Is there something better than this? I'm only running once on Application_Start().

XmlDocument config = new XmlDocument();
config.Load(Server.MapPath("~/Web.config"));
XmlNode anonSection = config.SelectSingleNode("configuration/system.web/anonymousIdentification");
if (anonSection != null)
{
    XmlAttribute nameAttr = anonSection.Attributes["cookieName"];
    if (nameAttr != null)
        AnonCookieName = nameAttr.Value;
}
if (string.IsNullOrWhiteSpace(AnonCookieName))
    AnonCookieName = ".ASPXANONYMOUS";
TheCloudlessSky
  • 18,608
  • 15
  • 75
  • 116
Sam
  • 9,933
  • 12
  • 68
  • 104
  • Can an "unauthenticated user" save to db? IMHO, if they did, I fail to see why you need to distinguish (unless I'm missing something). To find out if the user is authenticated, can't [`HttpRequest.IsAuthenticated`](http://msdn.microsoft.com/en-us/library/system.web.httprequest.isauthenticated.aspx) suffice? – EdSF Dec 26 '12 at 17:43
  • Unauthenticated user data will also be saved to the database. – Sam Dec 26 '12 at 17:46
  • wouldn't that be simplified to `HttpRequest.IsAuthenticated` (true or false) then? – EdSF Dec 26 '12 at 17:48
  • Sorry, I'm not following. Doesn't IsAuthenticated just tell me whether the user has been logged in (has a FormsAuthentication cookie)? How does that help with knowing whether or not to store data about anonymous users? If the user has cookies disabled, the anonymousId will change on every request, creating a new anonymous user and associated data. – Sam Dec 26 '12 at 17:52
  • For clarification, I'm not trying to distinguish between authenticated and unauthenticated users. I'm trying to distinguish between clients that can persist their state from request to request (cookies enabled), and those that cannot. I'm doing this so I do not end up with tens or hundreds of thousands of abandoned records in the database. – Sam Dec 26 '12 at 18:06
  • 1
    If `.IsAuthenticated == false`, then the user is "anonymous" or cookies disabled, or bot, _assuming authentication is "required"_ in your app. Otherwise, if it's a matter of checking whether the client can deal with cookies or not, then it doesn't even have to be an authentication cookie... – EdSF Dec 26 '12 at 19:32
  • +1 for "it doesn't even have to be an authentication cookie". I just know that one of these two cookies should be set on every single request, so it made sense to me to check for one of those rather than creating another cookie. – Sam Dec 26 '12 at 20:05

1 Answers1

0

According to Microsoft, Medium Trust is dead. But if you have to do it, this should work:

XmlDocument config = new XmlDocument();
config.Load(Server.MapPath("~/Web.config"));
XmlNode anonSection = config.SelectSingleNode("configuration/system.web/anonymousIdentification");
if (anonSection != null)
{
    XmlAttribute nameAttr = anonSection.Attributes["cookieName"];
    if (nameAttr != null)
        AnonCookieName = nameAttr.Value;
}
if (string.IsNullOrWhiteSpace(AnonCookieName))
    AnonCookieName = ".ASPXANONYMOUS";
Sam
  • 9,933
  • 12
  • 68
  • 104