'How does owin middleware track change in cookie
How does owin middleware track change in cookie? I am using cookie authentication. After cookie is generated and attached to browser if I make any change in cookie by using F12(developer toolbar in browser) and send request to sever how is owin validating cookie?
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
CookieName = "test",
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromHours(12),
SlidingExpiration = false
};
app.UseCookieAuthentication(cookieAuthenticationOptions);
Solution 1:[1]
PREFERRED BEHAVIOR
Auth cookies are strongly encrypted since they contain tokens in some cases. The pattern for auth cookies is to use properties such as these:
- HTTP Only
- Encrypted
- SameSite=strict
- Domain=web origin
- Secure
Symmetric authenticated encryption is used, with an algorithm such as AES256-GCM. This means any edit to any cookie byte will fail decryption, resulting in a 401 error. You should test this.
Cookies are time restricted also. Either the exp claim of stored tokens is checked on every request, or a separate timestamp within the cookie data.
OWIN
Sone notes here on OWIN crypto. It is quite an old tech now, so does not use the most cutying edge encryption algorithms. Instead it uses machine key based encryption, which I believe uses AES + HMACSHA under the hood. The end result is essentially the same behavior as above though.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Gary Archer |