DotNetNuke uses a number of cookies, the most important of which are the forms authentication cookie (created when a user logs in) and the portalroles cookie, which stores what roles a user has access to in the current portal.
Login and security
The forms authentication cookie are by default temporary (session) cookies and not persistant cookies, however users can make them persistant by checking the "remember me" checkbox on the login control. This can be removed via the UI or a setting
The portals role cookie is persistant but it only exists for 1 minute - and it's contents are encrypted as well as containing a portalid to make sure that they only apply for that portal. We use the expiry here as we want to be sure to refresh the users portal roles to pick up any alterations that may have occurred e.g. if an admin has added the user to new roles. There is no way to disable this in the application currently, but you can create an alternative membership provider and alter the logic as you see fit- the relevant code can be found in library/httpmodules/membership/membershipmodule.cs (or .vb if using a version prior to 6.0)
Please note, that whilst session cookies are typically preferred as this cookie has a short expiration of 1 minute (to ensure role identification is valid), having it as a session cookie would have a longer lasting cookie (by default of 30 minutes since the last period of activity) so a persistant cookie is a better option in this case.
- As well as these two, DotNetNuke can create a cookie to track affiliates (used to allow sites to track and reward vendor affiliates). Whilst this (little used) function cannot be disabled by a setting, sites that no not allow persistant cookies can safely remove this yourself by editing default.aspx.cs (or .vb), goin to the ManageRequest function and removin the request.cookies("affiliateid") block.
- You may also see one other cookie if you choose to install and use the usersonline module as it creates cookies to track when an anonymous user logs in so that it does not miscount active users. To avoid this cookie log in as host and go to host->host settings and ensure "enable users online" is unchecked (this is the default).
- A cookie is created called "language" to store the current language - in a monolingual install this is simply the browser default language, but if the site supports multiple languages then this may be different based on the language selected by clicking in the languages skin object.
- A cookie with the name ".ASPXANONYMOUS" is also created by asp.net anonymous authentication. This can be disabled by setting enabled=false in the anonymousIdentification node in web.config.
- If you are using the mobile redirection capabilities (added in 6.1.0 for PE/EE, and 6.1.5 for all editions), two optional cookies may be created. The cookies are called "disablemobileredirect" (which disables redirects when a mobile device is detected) and "disableredirectpresist" sic which stores a cookie with a lifetime of 20 minutes to indicate that redirects are not allowed.
- The DNNPersonalization cookie is used to store personalization data (such as tab expansion) for anonyous users. Authenticated users personalization data is stored in their profile.
- Two cookies in the form "_ContainerSrc" and "_SkinSrc" can be used to read and set the portal specific container and skin - these are both read only cookies.
- If you are using the stylesheet widget (or relocation widget or style scrubber widget's which can the stylesheet widget) then two cookies are created StyleSheetWidget_SizeWidget which stores the width, and StyleSheetWidget_TextSizeWidget which stores the text size. These values can then be consumed if you provide alternative stylesheets.
- Tabs controls create a cookie to store the last selected tab e.g. if you visit admin->site settings and click on the "advanced settings" tab it will create a cookie called "dnnTabs-dnnSiteSettings" and store the tabindex (1). This is read back when the page is revisited and the previously selected tab is then selected.
- Panels controls apply a similar logic to tab controls e.g. if you visit admin->site settings, click on "advanced settings" and expand "security settings" it will create a cookie called "dnnSitePanel-SecuritySettings" and store the value "true". This is read back when the page is revisited and the previously expanded panel is correctly expanded.