At the moment I'm working with ASP.NET MVC 5 and the new Identity 2 framework for authentication and authorization. Based on these principals I implemented a custom claim-based system which is able to check if a user action is permitted by passing an area and an action (e.g area is reservation and the action is create).
Now I have the requirement to extend the system for using it in a multi-tenant application which differentiate the tenants by a url sub path. (e.g. https://www.mydomain.com/tenant1/{controller}/{action}.
The Identity framework is imho not able to set cookies based on a specific url sub path. On every place I tried to hook in and set the cookie path failed.
The second use case I have, is granting a user temporary for a set of actions without the need to logout afterwards. This should also work if cookies are disabled.
I decided to rewrite the authentication system from scratch to fulfill my needs. Whats the best way to implement a cookie less temporary login. Story: User wants to place a reservation. Therefore he must be authenticated to navigate through a wizard (2 or 3 async server requests). After finishing the wizard the user must be logged out without any interaction. Created tokens must be invalidated (used for a kiosk mode).
What kind of principles and best practices exists for this scenario? And experience with a similar use case?
