https://stackoverflow.com/questions/23758704/asp-net-sessionid-vs-aspxauth-why-do-we-need-both-of-them

ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.

For example, the controller action may perform:

Session["FirstName"] = model.FirstName;

Then, in a subsequent action the first name can be retrieved from the session:

var firstName = Session["FirstName"];

The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.

ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:

FormsAuthentication.SetAuthCookie(username, false);

Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.

So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.

To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.

https://stackoverflow.com/questions/423467/what-is-aspxauth-cookie

The ASPXAUTH cookie is used to determine if a user is authenticated.

As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value. The value is encrypted using the machine key (located in the server's machine.config or web.config file) so looking at the cookie on the client won't really provide you any information. You can decrypt/view the value on the server side using:

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];//.ASPXAUTH
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

where authTicket has these fields:

The statement "ASPXAUTH is basically used to maintain ASP.NET Session State" is incorrect. ASP.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

待解决的问题

aspxformsauth 有domain和path,但是asp.net_sessionid没有。

所以在web.config中,还是不要配置doamin和path,直接修改aspxformsauth的name来进行区分不同的Application.

http://www.cnblogs.com/chucklu/p/7813459.html

ASP.NET_SessionId vs .ASPXAUTH why do we need both of them?的更多相关文章

  1. How to secure the ASP.NET_SessionId cookie? 设置ASP.NET_SessionId Secure=true

    How to secure the ASP.NET_SessionId cookie? To add the ; secure suffix to the Set-Cookie http header ...

  2. ASP.NET_SessionId 不相同导致验证码出错

    问题: 今天碰到一个比较奇怪的问题,每个页面请求的cookie的ASP.NET_SessionId 不相同,导致验证码检验出错.也就是说每个请求都是一个新的会话,我们把验证码保证在Session[ra ...

  3. IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称

    微软给了我们一个很好的工具用来使IIS安全的运行-------UrlScan,下面是它的配置文件介绍 [options]UseAllowVerbs=1                ; 若为1,则使用 ...

  4. python抢票开发——设备预约助手实现

    女朋友是药学院的,做实验时需要在特定的网站上进行设备预约,由于预约人数过多,从而导致从浏览器登录不进去或者登录进去预约失败等情况,所以我用python帮她写了一个抢位助手,让程序自动去进行位置预定,实 ...

  5. ASP.NET Session and Forms Authentication and Session Fixation

    https://peterwong.net/blog/asp-net-session-and-forms-authentication/ The title can be misleading, be ...

  6. ASP.NET MVC开发日常一:SessionID合理清除

    在MVC Web开发中临时存储数据一般会用到Session,Cookie,ViewBag,ViewData,TempData.每个的使用场景是不同,具体区别有空再补上. Session数据最敏感,最需 ...

  7. ASP.NET Cookie(一)--基本应用

    Cookie提供了一种在Web应用程序中存储用户特定信息的方法.例如,当用户访问您的站点时,您可以使用Cookie存储用户首选项或其他信息.当该用户再次访问您的网站时,应用程序便可以检索以前存储的信息 ...

  8. HTML <input type="file">上传文件——结合asp.net的一个文件上传示例

    HTML的代码:(关键是要在form里设置enctype="multipart/form-data",这样才能在提交表单时,将文件以二进制流的形式传输到服务器) 一. <fo ...

  9. asp.net,cookie,写cookie,取cookie

    Cookie是一段文本信息,在客户端存储 Cookie 是 ASP.NET 的会话状态将请求与会话关联的方法之一.Cookie 也可以直接用于在请求之间保持数据,但数据随后将存储在客户端并随每个请求一 ...

随机推荐

  1. Swift mutating Equatable Hashable 待研究

    Swift mutating Equatable Hashable 待研究

  2. MySQLWorkBench怎么设置主键自增长

    参考 https://blog.csdn.net/qq_40472613/article/details/87858099 勾选AI选项,相当于执行了这个语句: AUTO_INCREMENT表示自增 ...

  3. IOS 11,UIWebView内容随状态栏高度下移,导致状态栏不透明

    解决方案: 方法1:在html中设置 <meta name="viewport" content="viewport-fit=cover,maximum-scale ...

  4. VMware vCenter 6.5 安装及群集配置介绍

    一.介绍 VMware vCenter Server 提供了一个可伸缩.可扩展的平台,为虚拟化管理奠定了基础.可集中管理VMware vSphere环境,与其他管理平台相比,极大地提高了 IT 管理员 ...

  5. 社交网络图中结点的“重要性”计算 (30 分) C++解法

    社交网络图中结点的"重要性"计算 (30 分) 在社交网络中,个人或单位(结点)之间通过某些关系(边)联系起来.他们受到这些关系的影响,这种影响可以理解为网络中相互连接的结点之间蔓 ...

  6. Java基本数据类型、包装类与String类之间的转换

    一.基本数据类型与包装类之间的转换: import org.junit.Test; public class MainTest { /** * 基本数据类型与包装类之间的转换 */ @Test pub ...

  7. git 连接github.com 并配置密钥

    传送门:http://www.jianshu.com/p/ff1034ed270e #备份ssh cd ~/.ssh $ ls $ mkdir key_backup //创建备份文件夹 $ cp id ...

  8. 网络基础——UDP

    UDP 1.UDP首部格式 源端口号(16) 目标端口号(16) UDP长度(16) UDP校验和(16) UDP长度:用来指出UDP的总长度 校验和:用来完成对UDP数据的差错检验,它是UDP协议提 ...

  9. 【tips】xadmin - django第三方后台管理系统

    Django 为大家提供了一个完善的后台管理系统—admin,但是这个后台管理系统总体来说不太适合国人的习惯,所以有大神就使用 bootstrap 和 jQuery,为我们开发了一个第三 方的 Dja ...

  10. 关于ajax跨域请求API数据的一些问题

    一般来说我们使用jquery的ajax来跨域请求API数据的时候每次请求,就只能请求一组数据,而且当我们再次点击发送ajax请求的时候,新请求的数据会覆盖掉原来的数据,那么如何每次在请求的数据的时候, ...