After reading this and this, I am wondering if it is considered secure to use the default ASP.NET sessionID as a means to authenticate the user. I know it would be better to implement ASP.Identity, which has a much longer 'fedAuth' cookie next to the ASP session mechanism, however due to constraints, this is very difficult. Of course, in case the ASP sessionid is not secure enough to use as a means to authenticate the user, nothing is impossible.
What I want to know is, is it considered bad practice today to use the ASP.NET sessionID as a means to verify the user, when both the HTTP-only and Secure flags are set? A security comparison with ASP.Identity's cookie authentication would be nice, as the first source I listed seems to have a custom implementation, which I certainly do not want to implement. I'd rather see a comparison with something established.