This cookie contains the Forms authentication ticket. This ticket, represented by the FormsAuthenticationTicket class, contains the following data/members:
Version:the version of ticket’s format.
Name:current user’s name, unique for the whole system and main key to restore the authenticated session. In addition, it’s used for binding with other ASP.NET APIs such as Roles or Profile.
Expiration:when the ticket (and the cookie) expires.
IssueDate:date in which it was generated.
IsPersistent:if the cookie will be saved on the hard disk.
UserData:extra data about the user. Usually this is an empty string since it’s written from the Membership provider and the default implementations do not write anything here.
CookiePath:relative path from where the cookie is stored. Default is “/”.
This information is serialized and encrypted by setting a cookie that is stored on the client side. There is a private method in theFormsAuthenticationclass namedMakeTicketIntoBinaryBlobwhich is in charge of serializing the information. This is called from another private method,Encrypt, which is in charge of the encryption.
Encryption:with this value the ticket is encrypted before being saved in the cookie.
Validation:requires cookies validation.
All:It’s the default value and also the recommended one. Requires both validation and encryption of the cookie that contains the authentication ticket.
None:does not validate or encrypt the cookie. It’s not recommended to use this value since there is no protection for cookies. Performance is improved because it steers clear of additional cryptology processes.
Encryption is performed using specific information in the section<machineKey>inweb.config. From .NET 2.0 and later theAESalgorithm is used (Advanced Encryption Standardalso known asRijndael, the standard for best balance between security and speed in symmetric encryption), but other less secure algorithms, such asDESand3DES, are supported.