Other OOTB features of Formsauthentication are:
- encryption and decryption of the cookie
- sliding expiration
- easy integration with other asp.net features such as membership provider (if you want to use it)
On the other hand, I don't really see the problem with the machine key: it can be set explicitly in the web.config, so there should not be a problem to use the same key when deploying in a server farm.
Microsoft has an excellent article describing what the cookie contains (see excerpt below). I don't really find any values that make no sense to be there:
- Expires. This property specifies the expiration date and time
for the cookie. Forms authentication
only sets this value if your code
indicates that a persistent
forms-authentication cookie should be
issued.
- Domain. This property specifies the domain with which the cookie is
associated. The default value is null.
o HasKeys. This property indicates whether the cookie has
subkeys.
HttpOnly. This property specifies whether the cookie can be
accessed by client script. In ASP.NET
2.0, this value is always set to true. Internet Explorer 6 Service Pack 1
supports this cookie attribute, which
prevents client-side script from
accessing the cookie from the
document.cookie property. If an
attempt is made to access the cookie
from client-side script, an empty
string is returned. The cookie is
still sent to the server whenever the
user browses to a Web site in the
current domain.
- Note Web browsers that do not support the HttpOnly cookie attribute
either ignore the cookie or ignore the
attribute, which means that the
session is still subject to cross-site
scripting attacks.
Path. This property specifies the virtual path for the cookie. The
default value is "/", indicating root
directory.
- Secure. This property specifies whether the cookie should only be
transmitted over an HTTPS connection.
The Secure property should be set to
true so that the cookie is protected
by SSL encryption.
- Version. This property specifies the version number of the cookie.