How does an OWIN authentication cookie actually authenticate
Question
To authenticate a user, what information is stored in the cookie generated by the default implementation of Microsoft.Owin.Security.AuthenticationManager.SignIn(claimsIdentity) ?
Chrome / FF do not clear cookies that don't have an expiration date (depending on the users browser settings). So even non-persistent, cookie-authenticated users stay logged in over browser restarts.
The users even stay signed in after the app-pool recycles, which is what prompts me to ask this question.
Does the cookie contain session specific information, or is it the same as a persistent cookie, but without an expiration date?
1 answers
solution1
3 ACCPTED 2016-12-20 20:43:35
To my knowledge, the cookie generated contains multiple field among them are the user-id and an expiration datetime for the cookie. The data is encrypted with the machine key of the web server which makes the cookie that sent to the browser.
So after a web app is restarted the machine key remains the same and the cookie is still usable as long as the expiration has not past.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.