Claims Cookie Security in ASP.Net Identity

c# asp.net asp.net-mvc claims-based-identity owin
DevMania picture DevMania · Mar 9, 2014 · Viewed 9.5k times · Source

The way I understood it from reading all over the net, is that Claims get stored as cookie, now I add User's Roles to the Claims collection and thus it will be saved into the Claims Cookie. Now this is great as it would save me the round tripping to Database to retrieve user role each time I have Authorization Attribute to check against in my ASP MVC Controller.

  • Is this secure?
  • Can the cookie be decrypted if stolen?
  • Is there an alternative not save Claims in Cookie and save it on server and is this efficient, or am I worried to much?

Answer

0leg picture 0leg · Mar 9, 2014

Cookies are pretty much the standard way to maintain authentication session for a web site. Unless you use cookiless mechanism, which transmits session as a query string and was shown to be less secure. Whether you store claims in the cookie or not, you are still relying on the cookie security mechanism to maintain the client identity between the page hits. The mechanism has been around for years and is considered secure as long as you follow the implementation guidelines from Microsoft.

Assuming you are using .NET 4.5 or .NET 4.0 with WIF libraries, you can cache claims on the server and not send it in the cookie. Here is some basic documentation. Usually it is recommended if you have a lot of claims and the cookie gets too large to carry on every page hit.

Related questions

Update Claims values in ASP.NET One Core

I have a Web Application in MVC 6 (Asp.Net One Core), and I'm using Claims based authentication. In the Login method I set the Claims: var claims = new Claim[] { new Claim("Name", content.Name), new Claim("Email", content.Email), new …

Read More
Could not find a part of the path ... bin\roslyn\csc.exe

I am trying to run Asp.net MVC project retrieved from TFS source control. I have added all assembly references and I am able to build and compile successfully without any error or warning. But I get the following error …

Read More
Making a Simple Ajax call to controller in asp.net mvc

I'm trying to get started with ASP.NET MVC Ajax calls. Controller: public class AjaxTestController : Controller { // // GET: /AjaxTest/ public ActionResult Index() { return View(); } public ActionResult FirstAjax() { return Json("chamara", JsonRequestBehavior.AllowGet); } } View: <head runat="server"> <title>…

Read More