Does FormsAuthentication.SetAuthCookie() make a session based cookie?

Question

Ok I'm rather confused, does FormsAuthentication.SetAuthCookie() in asp.net create a session based cookie or not? From what I gather to put something in a session you would do something like this in the code behind:

Session["userAge"] = 25;

Now regardless of whether a cookie is created this will work as its server side, so I'm confused as to when I read you can have session and sessionless cookies, if so how do you create each one and how would you access esssion variables in the cookie in .net?

Answer 1

I'm not sure exactly what you're asking, but if your question is how can you access Session["userAge"] without an auth cookie, the answer is because it's a separate entity from the session.

The auth cookie (default name .ASPXAUTH) is created before the session is even started so it can't be based on the session.

Answer 2

This is a common confusion. Session and FormsAuthentication are two separate concepts - they have independent timeouts and independent cookies (or no cookies if you're using Cookieless sessions.)

Session on the server is identified by a unique cookie that is created even for anonymous users. This cookie holds a SessionID that has nothing to do with FormsAuthentication.

The FormsAuthentication cookie contains a number of things, the most important of which is the authentication ticket. This ticket is an encrypted bit of info that identifies the user against the login credentials supplied. There is a great step-by-step flowchart and explanation of what's in a ticket in this MSDN article.