>Yes it's pretty common for apps to actually have two cookies: One for managing authentication (like Forms Authentication) and one for user identification if anonymous access is allowed. The auth cookie only works when users are authenticated. Depending on the application you might not need to track any information on anonymous users and if that's the case the FormsAuth cookie with the attached user data can be all you need. Most of my apps actually use that.
>
>Either way I typically use a UserState object that contains basic user information like IsAuthenticated, UserId, Name, IsAdmin so I have some of the basic information that I need in each request without having to look up the user record on each hit from the database. I then have a very simple serialization routine that simply splits the string and stores that info in the forms auth cookie data (or its own cookie if an anonymous cookie is required) all encoded and then Base64Encoded. This is super easy and fairly efficient.
Thank you again for adding more details as a reference.