Can't we just store in the session if the user is logged in or not and get rid of the .ASPXAUTH?
ASP.Net_SessionId
is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.
For example, the controller action may perform:
Session["FirstName"] = model.FirstName;
Then, in a subsequent action the first name can be retrieved from the session:
var firstName = Session["FirstName"];
The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"]
will hold a different value for that different user.
ASPXAUTH
is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:
FormsAuthentication.SetAuthCookie(username, false);
Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH
cookie.
So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.
To complete the answer to your question, yes, you could get rid of the ASPXAUTH
cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.