Application appears to have two session cookies

Question

In my application I'm seeing it's setting two session cookies:

• .AspNet.ApplicationCookie
• ASP.NET_SessionId

I can understand the requirement for a session cookie but why have two? What are the specific purposes of each?

I'm using asp.net identity in case that has something to do with it.

Answer 1

.AspNet.ApplicationCookie basically is created when you use cookie authentication in your application. This cookie is created by the server on user request and is stored by the browser.

AspNet.ApplicationCookie gets sent with each subsequent request to inform the server the identity of the logged in user. It usually gets deleted when the user logs out(depends on expiry interval).

---

ASP.NET_SessionId cookie gets automatically created by Asp.net. There is no control over this cookie. It is created for the first time when the application is accessed by a user.

Even if the user has logged out, this cookie and its value are not deleted by the browser. This is because when the session is abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.

Answer 2

Good description of .AspNet.ApplicationCookie.

As others have said, ASP.NET_SessionId is user session.

Answer 3

Application cookie has scope for the application(to identify the application o nthe server), shared between different users, whereas a session cookie(to identify the suer session) is a user session specific.