ASP.NET_SessionId vs .ASPXAUTH why do we need both of them?

ASP.Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store data in between http requests.

For example, the controller action may perform:

Session["FirstName"] = model.FirstName;

Then, in a subsequent action the first name can be retrieved from the session:

var firstName = Session["FirstName"];

The ASP.Net_SessionId identifies the session for that users request. A different user will submit a different cookie and thus Session["FirstName"] will hold a different value for that different user.

ASPXAUTH is a cookie to identify if the user is authenticated (that is, has their identity been verified). For example, a controller action may determine if the user has provided the correct login credentials and if so issue a authentication cookie using:

FormsAuthentication.SetAuthCookie(username, false);

Then later you can check if the user is authorised to perform an action by using the [Authorize] attribute which checks for the presence of the ASPXAUTH cookie.

So in summary, the cookies are there for 2 different purposes. One to determine the users session state and one to determine if the user is authenticated.

To complete the answer to your question, yes, you could get rid of the ASPXAUTH cookie and just use session to identify the user (I have seen this done in older classic asp applications) but I wouldn't recommend it. It is much better to have a cleaner separation of concerns and use the appropriate method where necessary. The session and authentication will have their own time-out values set. By using the session for authentication you will only have the single time-out. I'm not sure though if there are any security implications in just using session for authentication, but still I would keep them separate.

.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.

The ASPXAUTH cookie is used to determine if a user is authenticated.

So these are 2 different concept i.e. Session State Management and Authentication Management using Form Authentication.

If you use Session to Authenticate and forget Form Authentication you will get rid of .ASPXAUTH

Both are required , using either resulting in the following vulnerability:

*ASP.NET_SessionId Alone: Session Fixation

*Forms Authentication Cookie Alone: Can’t Terminate Authentication Token on the Server

Also, you need to ensure they coupled together properly.Otherwise, the configuration also pose risk:

*Loosely Coupled ASP.NET_SessionID and Forms Authentication Cookies: Still Vulnerable

ref:http://blog.securityps.com/2013/06/session-fixation-forms-authentication.html