0

If I have a look at my cookievalue .ASPXANONYMOUS it is a string ie

WZnX-rXHygEkAAAAOTFhZjE5YTctZmEzZi00MTMwLWEwNTAtYjYwMzI0N2M0NTY4gQUsRlThiJWAjBgmBnpeIba7eGo1

The value Request.AnonymousID is a Guid.

How do you get from ASPXANONYMOUS to AnonymousID ?

I need this to debug some issues I have with FormsAuthentication.

Mathias F
  • 15,906
  • 22
  • 89
  • 159

1 Answers1

8

Yes, an anonymous id is a GUID. The cookie string is an encrypted value containing the id and other data:

[Serializable]
internal class AnonymousIdData
{
    internal string AnonymousId;
    internal DateTime ExpireDate;

    internal AnonymousIdData(string id, DateTime dt);
}

By default, anonymous cookies are valid for 90 days and are refreshed every visit.

You can treat Request.AnonymousID as the request username when Request.IsAuthenticated==false.

see AnonymousIdentificationModule

UPDATE: In response to a comment, yes, you can decode the value, but why?

string aId = Request.AnonymousID;

string anonCookieValue = Request.Cookies[".ASPXANONYMOUS"].Value;
MethodInfo method = typeof(AnonymousIdentificationModule).GetMethod("GetDecodedValue", BindingFlags.Static | BindingFlags.NonPublic);
object anonymousIdData = method.Invoke(null, new object[] { anonCookieValue });
var field = anonymousIdData.GetType().GetField("AnonymousId", BindingFlags.Instance | BindingFlags.NonPublic);
string anonymousId = (string) field.GetValue(anonymousIdData);
field = anonymousIdData.GetType().GetField("ExpireDate", BindingFlags.Instance | BindingFlags.NonPublic);
DateTime expired = (DateTime) field.GetValue(anonymousIdData);

// why? just use Request.AnonymousID    
Debug.Assert(aId == anonymousId);
Sky Sanders
  • 36,396
  • 8
  • 69
  • 90
  • Can you decrypt the cookie string? – Mathias F Mar 19 '10 at 23:15
  • Valid question. I guess because I want to totally mess up my application :-) But the real nswer is this problem I have: http://stackoverflow.com/questions/2448720/different-users-get-the-same-cookie-value-in-aspxanonymous – Mathias F Mar 21 '10 at 17:42
  • 3
    **WHY?** Because sometimes you have access to cookies, but no (reasonably good or appropriate) access to Request.AnonymousID. For example in signalr and webapi. – danludwig Sep 06 '13 at 18:23
  • Several years later, I needed to do this because of code executing in the OnAuthenticateRequest event, whereas the AnonymousID is only supplied to HttpRequest during OnPostAuthenticateRequest – Jeremy Frey Sep 25 '19 at 20:22