0

I'm using Cookie authentication for a Web API Core application, with OpenIdConnect.

So far, I store JWT tokens in the cookies, and use a custom cache to keep a session-like data (in cache, the token is the key)

Now i'd like to keep tokens on the server side only, removing it from the authentication cookie.

I'm wondering if Authentication Cookie carry a unique Identifier, that i could use as key in my cache ? I've not found such property in the class ... Would need something like the sessionId in session Cookie, that i can retrieve each time the cookie is provided.

Thank you

drkmkzs
  • 159
  • 7
  • `eep tokens on the server side only` is it necessary to do like this? I don't think it's a good idea. – Tiny Wang Feb 22 '22 at 02:46
  • well I rely on Cookie authentication, and I decided to use a cache of users (kind of session). So i don't need to keep access_token or refresh_token on the client side. Keeping it on server side would slightly increase both security and performance (cookie would be way smaller) – drkmkzs Feb 22 '22 at 08:40
  • Per my understanding, you may set the jwt token as the value and the user id as the key, then you can store the token in your sever side, and when a request is coming to call the api, you may then check if this user has a valid token stored in your server side. – Tiny Wang Feb 23 '22 at 06:18
  • But i would like to keep a session tracks, a user can have several sessions in same time (for instance different computer or browser). So i'd rather keep for the key an identifier of session, and wanted to see if authentication cookie had such information available... As long as the cookie exists (and is valid), i consider the session is same – drkmkzs Feb 23 '22 at 10:49
  • Moreover, the idea of the session is to retrieve user info from the incoming session (i.e data from cookie)... the key has to be that data to retrieve internal userId from session cache – drkmkzs Feb 23 '22 at 10:57
  • Then I still recommend to send token alone with each requests. Your server side only need to validate if the token is valid. – Tiny Wang Feb 24 '22 at 01:23

0 Answers0