https://stackoverflow.com/questions/23758704/asp-net-sessionid-vs-aspxauth-why-do-we-need-both-of-them

ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.

For example, the controller action may perform:

Session["FirstName"] = model.FirstName;

Then, in a subsequent action the first name can be retrieved from the session:

var firstName = Session["FirstName"];

The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.

ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:

FormsAuthentication.SetAuthCookie(username, false);

Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.

So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.

To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.

https://stackoverflow.com/questions/423467/what-is-aspxauth-cookie

The ASPXAUTH cookie is used to determine if a user is authenticated.

As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value. The value is encrypted using the machine key (located in the server's machine.config or web.config file) so looking at the cookie on the client won't really provide you any information. You can decrypt/view the value on the server side using:

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];//.ASPXAUTH
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

where authTicket has these fields:

The statement "ASPXAUTH is basically used to maintain ASP.NET Session State" is incorrect. ASP.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

待解决的问题

aspxformsauth 有domain和path,但是asp.net_sessionid没有。

所以在web.config中,还是不要配置doamin和path,直接修改aspxformsauth的name来进行区分不同的Application.

http://www.cnblogs.com/chucklu/p/7813459.html

ASP.NET_SessionId vs .ASPXAUTH why do we need both of them?的更多相关文章

  1. How to secure the ASP.NET_SessionId cookie? 设置ASP.NET_SessionId Secure=true

    How to secure the ASP.NET_SessionId cookie? To add the ; secure suffix to the Set-Cookie http header ...

  2. ASP.NET_SessionId 不相同导致验证码出错

    问题: 今天碰到一个比较奇怪的问题,每个页面请求的cookie的ASP.NET_SessionId 不相同,导致验证码检验出错.也就是说每个请求都是一个新的会话,我们把验证码保证在Session[ra ...

  3. IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称

    微软给了我们一个很好的工具用来使IIS安全的运行-------UrlScan,下面是它的配置文件介绍 [options]UseAllowVerbs=1                ; 若为1,则使用 ...

  4. python抢票开发——设备预约助手实现

    女朋友是药学院的,做实验时需要在特定的网站上进行设备预约,由于预约人数过多,从而导致从浏览器登录不进去或者登录进去预约失败等情况,所以我用python帮她写了一个抢位助手,让程序自动去进行位置预定,实 ...

  5. ASP.NET Session and Forms Authentication and Session Fixation

    https://peterwong.net/blog/asp-net-session-and-forms-authentication/ The title can be misleading, be ...

  6. ASP.NET MVC开发日常一:SessionID合理清除

    在MVC Web开发中临时存储数据一般会用到Session,Cookie,ViewBag,ViewData,TempData.每个的使用场景是不同,具体区别有空再补上. Session数据最敏感,最需 ...

  7. ASP.NET Cookie(一)--基本应用

    Cookie提供了一种在Web应用程序中存储用户特定信息的方法.例如,当用户访问您的站点时,您可以使用Cookie存储用户首选项或其他信息.当该用户再次访问您的网站时,应用程序便可以检索以前存储的信息 ...

  8. HTML <input type="file">上传文件——结合asp.net的一个文件上传示例

    HTML的代码:(关键是要在form里设置enctype="multipart/form-data",这样才能在提交表单时,将文件以二进制流的形式传输到服务器) 一. <fo ...

  9. asp.net,cookie,写cookie,取cookie

    Cookie是一段文本信息,在客户端存储 Cookie 是 ASP.NET 的会话状态将请求与会话关联的方法之一.Cookie 也可以直接用于在请求之间保持数据,但数据随后将存储在客户端并随每个请求一 ...

随机推荐

  1. idea使用maven install命令打包(springboot),jar运行时出现没有主清单属性

    原因是:我的项目里除了springboot启动类还自定义了多个main来搞了点小demo,就因为这个原因我花了近一天的时间才找清楚原因. 解决方案:找到多余的main方法,注释或删除掉. (下面可以忽 ...

  2. 作业 3-5 switch语句的应用

    /*输入五级制成绩(A-E),输出相应的百分制成绩(0-100)区间*/ #include<stdio.h> int main(void) { char ch;/*定义一个字符*/ pri ...

  3. buf.readUIntBE()

    buf.readUIntBE(offset, byteLength[, noAssert]) buf.readUIntLE(offset, byteLength[, noAssert]) offset ...

  4. Python面向对象之面向对象封装案例

    面向对象封装案例 封装 封装是面型对象编程的一大特点 面向对象编程的第一步--将属性和方法封装到一个抽象的类中: 外界使用类创建对象,然后让对象调用方法: 对象方法的细节都被封装在类的内部. 一个对象 ...

  5. THUSC2019滚粗记

    关于\(\mathrm{APIO}\)游记,它咕了... Day -1 \(\mathrm{\_tham}\)今天并没有准备给我们考试,所以机房充斥着过年的气息(雾 下午就要出发了,由于一些众所周知的 ...

  6. idea 类图显示

    不得不说idea java开发的神器啊,免去了自己画图的很多工作量. 打开类图快捷键:Ctrl+Alt+Shift+U

  7. BZOJ 3894 Luogu P4313 文理分科 (最小割)

    题目链接: (bzoj) https://www.lydsy.com/JudgeOnline/problem.php?id=3894 (luogu) https://www.luogu.org/pro ...

  8. alpha版出炉,实现win2008 service的session 0穿透

    指定用户名,拿最小session,实现和用户ui交互. 这样,搞windows的自动化部署,就可以向前一大步啦. 比以前用psexec要用户名密码,指定session要先进多啦. 安全保密性也提高了. ...

  9. 用ZooKeeper做为注册中心搭建基于Spring Cloud实现服务注册与发现

    前提: 先安装好ZooKeeper的环境,搭建参考:http://www.cnblogs.com/EasonJim/p/7482961.html 说明: 可以再简单的理解为有两方协作,一个是服务提供这 ...

  10. FreeMarker与Servlet结合示例

    一.最原始示例 1.引入POM依赖 <!-- https://mvnrepository.com/artifact/org.freemarker/freemarker --> <de ...