4

I have an MVC site running on mono 2.10.8.1 on apache2 undo ubuntu. I have a service that checks credentials and set cookies if all good. In windows i have no problem and got only one cookie: .ASPXAUTH. However when i deploy to linux server, it sets two cookies ASP.NET_SessionId and .MONOAUTH.

My question is why it is two cookies in linux and one in windows, and how can i get rid of ASP.NET_SessionId cookie?

I'm setting cookie like this:

    Response.AppendCookie(BuildAuthenticationCookie(login, data));

    public static HttpCookie BuildAuthenticationCookie(string login, string ticketData)
    {
        var authTicket = new FormsAuthenticationTicket(2, login, DateTime.Now,
            DateTime.Now.AddMinutes(500), false, ticketData);
        var authCookie = new HttpCookie( FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket))
        {
            HttpOnly = true,
            Secure = SiteSettings.CookiesSslOnly,
            Expires = DateTime.Now.AddMinutes(SiteSettings.AuthCookieExpirationTime)
        };
        return authCookie;
    }
Felix
  • 830
  • 10
  • 17

1 Answers1

1

I think there is nothing wrong with Mono. In fact, the two cookies you mention - ASP.NET_SessionId and .MONOAUTH are the Session and Forms Authorization cookies, which really are different.
To get rid of the ASP.NET_SessionId, you can either not use Sessions at all or have cookieless sessions (<sessionSate> on MSDN).

Note: You should also get two cookies on Windows. If not, it probably means that you didn't hit any MVC Actions that set some value in the SessionState. If you manage to find such an Action, you will get two cookies on Windows as well.

Marcelo Zabani
  • 2,139
  • 19
  • 27
  • Well, I suppose there nothing wrong with the mono, i believe it uses it's own cookie mechanism. On the windows side i guess i do have the same two cookies (i do use the same actions), but ASP.NET combine then in one cookie. And thank you, it is usefull – Felix Nov 15 '12 at 19:38
  • I don't want to turn off session for the hole application, but i have some controllers that plays a web service role and i don't need session for them. I guess there is no way (a good way) to have session off just for part of application :) – Felix Nov 15 '12 at 19:43
  • Watch out! Microsoft's ASP.NET stack does not use a single cookie for SessionState and Authorization either. These are completely separated in ASP.NET! Check http://stackoverflow.com/questions/6066554/is-there-any-good-reason-why-the-authentication-cookie-and-the-session-state-coo for more information. – Marcelo Zabani Nov 16 '12 at 13:47
  • Yep, thnaks... that what already i've done so far - just use session to store user information... – Felix Nov 18 '12 at 04:31