When using the ASP.NET Identity ApplicationCookie authentication strategy two cookies are created when the user logs in: _RequestVerificationToken and .AspNet.ApplicationCookie.
Is there any server side session state associated with these cookies?
If so is it possible to configure this identity session state's its location (InProc, custom provider)?
_RequestVerificationToken is a CSRF token. It contains a value that must match one of the hidden fields in the page. There is no server side session state associated with this cookie. More info.
.AspNet.ApplicationCookie is a persistent cookie that contains the user's identiy and claims in an encrypted and signed format. The data is stored in the cookie itself, not on the server. More info
