I'm using app.UseCookieAuthentication as follows(just a simple example);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "MyAuthScheme",
AutomaticAuthenticate = true,
});
Then somewhere I'm manually creating ClaimsPrincipal and signing in user:
var claimCollection = new List<Claim>()
{
new Claim(ClaimTypes.Name, "First user"),
new Claim(ClaimTypes.Role, "User"),
new Claim(ClaimTypes.Email, "first@user.com")
};
var claimsIdentity = new ClaimsIdentity(claimCollection);
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
await context.Authentication.SignInAsync("MyAuthScheme", claimsPrincipal);
So generated cookie will contain information about user roles.
Now the question: is such generated cookie secure? I mean does ASP.NET encrypt it somehow so end user cannot manually modify it in a way so e.g. server would think that user is admin? Will server notice that cookie is corrupted when user modify it?
Yes.
Yes it's encrypted, so you can't see the contents.
Yes it's signed, so tampering will be detected.