what is ASPXAUTH cookie?

Question

I am working in ASP.net cookie while using forms authentication I came to know about aspxauth cookie

What is the purpose of this cookie?

What is the location of this cookie?

Answer 1

Whenever we are viewing any aspx page and Session object is used, then ASP.NET automatically creates a Session Id. This is called ASPXAUTH cookie. And this is used throughout the session, i.e. unless user closes the browser window.
This article may be useful for you.

Answer 2

The statement "ASPXAUTH is basically used to maintain ASP.NET Session State" is incorrect. ASP.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

The ASPXAUTH cookie is used to determine if a user is authenticated.

As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value. The value is encrypted using the machine key (located in the server's machine.config or web.config file) so looking at the cookie on the client won't really provide you any information.

Answer 3

It stores your login session data such as when your login expires, your roles, etc - it is encrypted.

Answer 4

Actually the .ASPXAUTH cookie does not accurately tell you when the user is truly authenticated. When the user logs out of the app, the .ASPXAUTH cookie is removed from the browser. However, if you go back to the site within a short period of time (with timeout of form auth cookie), and edit the new ASP.NET_SessionId cookie's with the following: -change "name" field from "ASP.NET_SessionId" to ".ASPXAUTH" -change "value" from 24 char sessionID to old 448 char authentication string After refresh you will be able to assume the identity of the authenticated user without technically re-authenticating again. (again assuming you do this within the specificied timeout stored within the .ASPXAUTH encrypted auth string)