Use same cookie for session and authentication

[shravan2x]

It appears that right now, separate cookies are being created for session data and authentication, named .AspNetCore.Session and .AspNetCore.Cookie. Since both these cookies serve only to uniquely identify users, could they be combined? i.e. Have session use the authentication cookie?

[Tratcher]

Nope, the cookies are extremely different. The session cookie is just a unique ID, but it has a specific lifetime such that it doesn't persist across browser sessions. Also note the session cookie doesn't ID a user, it IDs a browser session. It can be used before sign-in and after sign-out.

The auth cookie is not a unique ID, it's a serialized, encrypted copy of the user. This is useful for OAuth/OIDC scenarios where you don't have a local user database. It also has two built in forms of expiration, the ability to persist beyond a single browser session, etc..