Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET_SessionId vs .ASPXAUTH why do we need both of them?

Tags:

Can't we just store in the session if the user is logged in or not and get rid of the .ASPXAUTH?

like image 896
Daniel Gartmann Avatar asked May 20 '14 11:05

Daniel Gartmann


2 Answers

ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.

For example, the controller action may perform:

Session["FirstName"] = model.FirstName; 

Then, in a subsequent action the first name can be retrieved from the session:

var firstName = Session["FirstName"]; 

The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.

ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:

FormsAuthentication.SetAuthCookie(username, false); 

Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.

So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.

To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.

like image 188
Dangerous Avatar answered Sep 20 '22 04:09

Dangerous


.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

The ASPXAUTH cookie is used to determine if a user is authenticated.

So these are 2 different concept i.e. Session State Management and Authentication Management using Form Authentication.

If you use Session to Authenticate and forget Form Authentication you will get rid of .ASPXAUTH

like image 30
Nipun Ambastha Avatar answered Sep 22 '22 04:09

Nipun Ambastha