We need to implement authentication for an ASP.Net MVC project and are looking at the ASP.Net authentication framework to see if it will work. One concern is that apparently it stores the UserID in the session. I just got off the tel with Microsoft, and they advised that in a web farm scenario we would need a state server, and that there is some performance hit with that.
In the classic ASP world, we always tried to avoid using session due to the issues that arise in a web farm scenario. We would drop a cookie with the UserID and a time duration of however long we wanted the session to be. If I were to do it this way today, I'd add encryption to the cookie as well. For reference, this is not for a bank or security clearance type project, we want security but I would be fine with the security a well encrypted cookie would offer from sniffers, etc.
In terms of of performance, code-quality, schedule, etc., would it be better to use the ASP.Net Authentication and a state server or to simply create a form that authenticates manually and drops an encrypted cookie with limited time duration? (If anyone happens to know, I was also curious how SO handles authentication).