Why Session state is different to Form Authentication state?

Question

Maybe I'm missing some fundamentals about this, I just don't get why Form Authentication is not build in top of Session.

I've had some issues with Form Authentication timeout and Session timeout, I understand how to get arround those issues thanks to blog posts like this one.

But why are they separated?

Answer 1

Basic because some may chose to use only one of them, and because they are two different modules - and both gives the interface to make a custom one.

Also one user can have session with out have never been authenticated.

Also some other (like me) can made totally custom session module, but keep the Authentication module.

So this is two different modules and they can not be connected.

Answer 2

I just don't get why Form Authentication is not build in top of Session.

Forms Authentication uses cookies which are common in all applications. Only the currently authenticated username is stored into the cookie. The session on the other hand could store arbitrarily large values as it is stored on the server. You cannot persist arbitrary large data into cookies. The session state has lots of problems. For example if you are running in a web farm you need to ensure that you are using an out-of-process session persistence instead of the default InProc so that all nodes of your web farm could share the same session data. Personally I never use sessions in my applications. The very first thing I do is to ensure that I disable all session state in my web.config:

<sessionState mode="Off" />

This way I am sure that no developer working on my projects would ever do the mistake of using ASP.NET sessions. They turn web applications which are intended to be stateless into stateful.

With cookies you do not have such problems. You could throw as many nodes you want to your web farm to face increasing user load without ever worrying about any state on the server.