0

I have a website project with .NET 6 (MVC) and I use an authentication cookie for authorizing users with this config:

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.SlidingExpiration = true;
        options.Cookie.HttpOnly = true;
        options.Cookie.SameSite = SameSiteMode.Lax;
        options.Cookie.Name = "sepsep";
        options.Cookie.IsEssential = true;
        options.ExpireTimeSpan=TimeSpan.FromDays(365);
    });

I've created the same cookie (name, value and etc) on another browser on another computer and I am authorized now on that other computer!

Is it possible to protect this cookie so it won't be copied? I mean I think this cookie should just work in my own computer and even just in that browser!

UPDATE

I use claim based method to login the user:

var claims = new List<Claim>
        {
            new Claim("UserMobile",mobile),
        };
            
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties
                         {
                             IsPersistent = true
                         };

_contextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, 
                                         new ClaimsPrincipal(claimsIdentity), 
                                         authProperties);
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Sepehr Estaki
  • 331
  • 5
  • 19
  • The problem is you can change the IP address of any computer. So how do you uniquely identify a client that hackers cannot get around. The best way is not to use a cookie but instead use Windows Credentials to make sure your connection is secure. Than the cookie doesn't matter. – jdweng Aug 13 '22 at 16:21
  • how about to use something like unique machine key? – Sepehr Estaki Aug 13 '22 at 16:59
  • a cookie should not really be used to secure as a form of access. There are much better things like logins, tokens, auth, and many others. – mathis1337 Aug 13 '22 at 17:17
  • Can a hacker get access to the machine key? – jdweng Aug 13 '22 at 18:37
  • @jdweng I mean something like MAC ID – Sepehr Estaki Aug 13 '22 at 19:26
  • The MAC ID is not encrypted and is used in many places that is not encrypted. – jdweng Aug 13 '22 at 23:48

0 Answers0