I think there is nothing wrong with Mono. In fact, the two cookies you mention - ASP.NET_SessionId
and .MONOAUTH
are the Session and Forms Authorization cookies, which really are different.
To get rid of the ASP.NET_SessionId
, you can either not use Sessions at all or have cookieless sessions (<sessionSate> on MSDN).
Note: You should also get two cookies on Windows. If not, it probably means that you didn't hit any MVC Actions that set some value in the SessionState. If you manage to find such an Action, you will get two cookies on Windows as well.