ASP.NET_SessionId vs .ASPXAUTH why do we need both of them?

Daniel Gartmann picture Daniel Gartmann · May 20, 2014 · Viewed 26.8k times · Source

Can't we just store in the session if the user is logged in or not and get rid of the .ASPXAUTH?

Answer

Dangerous picture Dangerous · May 20, 2014

ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.

For example, the controller action may perform:

Session["FirstName"] = model.FirstName;

Then, in a subsequent action the first name can be retrieved from the session:

var firstName = Session["FirstName"];

The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.

ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:

FormsAuthentication.SetAuthCookie(username, false);

Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.

So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.

To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.