Is there any good reason why the authentication cookie and the session state cookie are two separate cookies?

Question

Is there any good reason why ASP.NET's session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to "tie" them to each other? Is it possible in an elegant way?

Right now, I am stuck with the following solution, which works, but is still ugly:

[Authorize]
public ActionResult SomeAction(SomeModel model)
{
    // The following four lines must be included in *every* controller action
    // that requires the user to be authenticated, defeating the purpose of
    // having the Authorize attribute.
    if (SomeStaticClass.WasSessionStateLost/*?*/) {
        FormsAuthentication.SignOut();
        return RedirectToAction("Login", "Account");
    }

    // ...
}

---

@RPM1984: This is what happens:

[HttpPost]
public ActionResult Login(LoginModel loginModel)
{
    if (/* user ok */)
    {
        // ...
        Session["UserID"] = loginModel.UserID;
        Session["Password"] = loginModel.Password;
        // ...
    }
    else
    {
        return View();
    }
}

And it doesn't take much guessing to know what WasSessionStateLost does.

Answer 1

Session != Authentication

The session state cookie tracks the user's activity during a browser session.

The forms authentication cookie tracks the user's authenticated activity during a given time period, specified by the expiration date of the ticket and whether or not you have created a persistent cookie (e.g "Remember Me" checkbox).

You shouldn't be touching the session cookie itself, and all it contains is an identifier to tie the client session (browser) to the server.

If you need to access the session, use HttpContext.Current.Session.

What exactly are you trying to "tie" together?

What does SomeStaticClass.WasSessionStateLost do?