I am currently studying the new ASPNET Identity and Owin Authentication so that I can customize it for my own use. I just created a default MVC 5 Application and came across this piece of code
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie); /// WHY??
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
The Question
Is there any security risk to leaving an External Cookie?
Turns out that the purpose of that line is to Deactivate the External Cookie that was gotten from the 3rd Party Provider. Since The intention is to transfer the Identity of the user from the 3rd Party to the Local Identity.
Not doing so would cause the cookie to remain valid even after the user has signed out.