security asp.net-core cookies asp.net-identity session-cookies

Is it right way to store security fields in cookies?

I trying to store extra fields in cookies with ASP.Net Core Identity.

one of this fields, is Role Name.

Is it safe to store role name in cookies?

For example, is it possible that user change role name from "normalUser" to "admin"?

I am using ASP.Net Core 3.1 version.

Solution

NEVER store sensitive data in cookies. As mason said in the comment, cookies can be modified meaning they can be exploited. And besides, your cookies might be in plaintext, which is even worse.

I would recommend storing such data securely in the backend.

Sessions are definitely safer than cookies since they are stored on the server side but they also can be subject to attacks (session hijacking). You'll need to properly configure them for better security.

Why are iframes considered dangerous and a security risk?
Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40
Limit GraphQL Queries by Breadth
Securing a UDP connection
Cross Domain Form POSTing
How is PHP's mt_rand seeded?
Customize android app preview when it is in background with secure flag
Can a client-side login be safe?
How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
How to validate if a URL is an Okta domain?
How to make Google Analytics respond to "Do Not Track"
My Vercel API tokens leaked on GitHub. How do I regenerate them?
Implementing Custom Expression Handling with Spring Security 6
What are the security concerns for JSF?
App attestation failed with Firebase App check in release on Android
SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
When should I use the deny access functions in Symfony 4.4 controllers?
Install two traefik ingress controller on same kubernetes Cluster
Logon events from within credential provider
How to give access to my API for a mobile app?
How to verify a JWKS's integrity and authenticity
Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
ECPrivateKey to ECPublicKey without BouncyCastle
What TargetName to use when calling InitializeSecurityContext (Negotiate)?
java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING
Which procedure is more secure for encryption using Password and Seed
Source security group isn't working as expected in AWS
Google Authenticator available as a public service?
Where do you store your salt strings?