hi,

why does the framework use cookies for saving and retrieving the authentication ticket, and doesnt just put the authentication ticket and all other stuff as an object in the users session?! whats the cons and pros of using cookies or the session in this case?!


asking because i have to program a custom authentication, i was wondering should i follow .net steps and use a cookie,or keep the authentication info in the session which to me sounds more useful and easier to implement since we dont have to care anymore about the settings of the user, and we can use a single authentication for multiple pages and domains


thanks...

The main advantage to using cookies is you can persist a users logon from session to session. This is desirable for sites such as this one that remembers you when you come back. The only way this is possible is through cookies.

You can use session authentication also, and pass it around in the querystring or hiddin values.

What ever you do, don't discount the security model that MS has put in place. They implemented it there for us to use easily to integrate into our solutions. They use the same authentication schemes for their sites. If you implement it right, then it should be as secure, or more secure than something you could role up yourself.

Good luck.