Search code examples
asp.net-mvcasp.net-mvc-5session-cookiesowinowin-security

OWIN Cookie Authentication Security


I'm approaching a new project and I am weighing up using MVC5 and Identity thru OWIN.

I am running the scaffolding project for which provides the entity framework user database, register/ sign in etc.. No third party or two factor.

As I currently understand it, OWIN Security is based on the cookie, now, its been a few years since I have dabbled in the Web, BUT I was under the impression that identity and claims should be stored in the session.

I'm inspecting the cookie that is set when a user logs in and various claims are set. I don't actually know what the underlying framework does, and I am struggling to find out:

  • are there any technical links? Not about how to implement the interfaces and setup this up, but on the security and best practices.
  • What is actually in this cookie and how can I inspect with EditThisCookie what is set? as its encrypted or obfuscated?
  • How is this more secure than session?
  • If someone, some how got this cookie, could they basically sign in as the same user?
  • Does this scale? as normally multiple front ends would talk to the same session server.

Solution

  • We have a lot of samples for you to get your feet wet. https://github.com/AzureADSamples

    To answer some of your questions:

    What is actually in this cookie and how can I inspect with EditThisCookie what is set? After authentication succeeds, the users identity is stored in a cookie that contains their identity.

    as its encrypted or obfuscated? By default the cookie is encrypted and signed. How is this more secure than session?

    If someone, some how got this cookie, could they basically sign in as the same user? Unless Channel binding is in effect, yes.

    Does this scale? as normally multiple front ends would talk to the same session server. We have found it does scale. SymmetricKey crypto is used, which is fast.

    There is the option of using a cache and not putting the details on the wire. This requires a distributed cache, which most developers do not seem to want to do.