ASP.NET's AspStateTempSessions table

Using SqlServer session state provider with ASP.NET.

From : http://msdn.microsoft.com/en-us/library/aa478952.aspx , the ASPStateTempSessions table's SessionId column is made up of : "Session Id" + "Application Id".

My question is, wouldn't "Session Id" be enough to make this column unique ? If so, is adding the "Application Id" just some additional security to make sure sessions can't be accessed across application boundaries ?

I'm just trying to understand session ids (the 24 character ones) a bit better.

EDIT : sorry, I should clarify. Assume that for all of the applications on the domain, the ASP.NET sessionState cookieName is explicitly set to a unique value for each application.

e.g :

for app 1 :  <sessionState mode="SQLServer" ... cookieName="ASP.NET_SessionId_App1" > .. 

for app 2 : <sessionState mode="S开发者_开发知识库QLServer" ... cookieName="ASP.NET_SessionId_App2" > ..

(I'm thinking this will make each app use a different session ID ?).

If you are looking at a single application, yes - Session Id would be enough to make the column unique. However - the database schema is designed to support multiple applications in one Database. The application ID makes it unique when there are multiple records. It has nothing to do with Security.

ASP.NET Sql Server Session State Provider database schema is designed to support multiple web applications i.e. you can have same sql server database backing up sessions from multiple web sites.