1

Why do we need a 2nd mechanism, next to e.g. The forms authentication mechanism, to keep the state? I have quite a good understanding as to why session tokens are used. I also understand the forms authentication mechanism. What i dont understand is why we need the two.

As the formsauth cookie is unique, we could use this to track the user's state, right? I feel this would be a lot safer: we track the state, and we know the user is authenticated. Ive googled a lot, and often people say that, in asp, it is good practice to link sessionid and authentication token together... That is actually the same as just using one of the two for both, no?

One situation where i can think of where we need anonymous state, is in an application where the user does not necessarily need to log in. But then again, we have anonymous authentication, right?

Michael
  • 363
  • 5
  • 20

2 Answers2

1

The session and authentication modules can be swapped out individually. It would add complexity for them to try to detect each other so that they can share a cookie in this one case.

It would also (unexpectedly) link operations together. For example, logging out of the app would cause the session to be deleted. This might be preferred but it would only work this way for a specific combination of modules.

You are free to extend the default modules to share the same cookie if you wish. You might even be able to force them to use the same cookie by changing their settings in the web.config.

David
  • 34,223
  • 3
  • 62
  • 80
  • Thanks for the answer. So basically, if there was a way to link sessionIDs and authenticationtokens together the moment a user authenticates, and decouple them once the user logs out, this would add more safety? This way, attacks where a user with low privileges hijacks a session of a user with high privileges can be avoided, while still preserving the advantages of having both. – Michael Sep 17 '13 at 14:09
  • I don't think a single cookie is any more secure than two cookies. Take a look at this other question for how to prevent cookie hijacking: http://stackoverflow.com/questions/22880/what-is-the-best-way-to-prevent-session-hijacking – David Sep 17 '13 at 14:25
1

In early days of ASP, session was often used as an auth cookie. While the auth and session cookies overlap in simple cases, there are many situations where they need to be separate.

  • auth is handled by something other than ASP.NET
  • session is maintained, but auth has expired (e.g. Amazon shopping cart)
  • session can expire, but the auth cookie is persisted (e.g. remember my login)
0leg
  • 966
  • 5
  • 9