Is it possible to Implement Azure Ad Authentication in webforms without cookie authenticationtype ?

Question

Is it possible to Implement Azure Ad Authentication in webforms without cookie authenticationtype ?

Praneeth Kumar Pagunta 1

Can we implement the below code without using cookies

public void Configuration(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = redirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed
                }
            }
        );
        }

AgaveJoe 30,126 Reputation points

2022-05-17T20:32:02.037+00:00

Is it possible to Implement Azure Ad Authentication in webforms without cookie authenticationtype ?

A cookie caches the identity of a user in browser based applications. It is possible to use another form of state management but cookies are by far the easiest method.

Why are you opposed to cookies in a browser based application?
Praneeth Kumar Pagunta 1 Reputation point

2022-05-18T09:25:08.643+00:00

Well it's what have been requested by customer, failed to convince even after explaining multiple times the need of cookies for the implementation. Now I need to get it done but couldn't find any other ways so far
AgaveJoe 30,126 Reputation points

2022-05-18T11:35:32.097+00:00

Using an authentication cookie in a browser based application is the industry standard pattern. ASP.NET's well-tested authentication and authorization libraries are build around an authentication cookie.

One possible solution is to use a mater page with a hidden input to store encrypted user information. Write code that fetches the user data on each request and populate the IPrincipal so the standard Web Forms authentication/authorization tools continue to work.

Keep in mind, the proposed design is less secure than a cookie because the hidden filed is exposed to JavaScript. JavaScript cannot access an authentication cookie. Warn the customer this requirement makes the application less secure than using standard patterns and practices.

1 answer

Your answer

AgaveJoe 30,126 Reputation points

2022-05-17T20:32:02.037+00:00

Is it possible to Implement Azure Ad Authentication in webforms without cookie authenticationtype ?

A cookie caches the identity of a user in browser based applications. It is possible to use another form of state management but cookies are by far the easiest method.

Why are you opposed to cookies in a browser based application?
Praneeth Kumar Pagunta 1 Reputation point

2022-05-18T09:25:08.643+00:00

Well it's what have been requested by customer, failed to convince even after explaining multiple times the need of cookies for the implementation. Now I need to get it done but couldn't find any other ways so far
AgaveJoe 30,126 Reputation points

2022-05-18T11:35:32.097+00:00

Using an authentication cookie in a browser based application is the industry standard pattern. ASP.NET's well-tested authentication and authorization libraries are build around an authentication cookie.

One possible solution is to use a mater page with a hidden input to store encrypted user information. Write code that fetches the user data on each request and populate the IPrincipal so the standard Web Forms authentication/authorization tools continue to work.

Keep in mind, the proposed design is less secure than a cookie because the hidden filed is exposed to JavaScript. JavaScript cannot access an authentication cookie. Warn the customer this requirement makes the application less secure than using standard patterns and practices.

Answer 1

Hello @Praneeth Kumar Pagunta , in order to stop relying on cookies you can implement a custom ICookieManager but this time instead of reading and writing the auth ticket to a cookie it will be done to the Session State. Session itself is written to a cookie by default but you can disable that too. You will inject your custom ICookieManager manager here:

   app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieManager = new MyCustomCookieManager() }) ;

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Share via

Is it possible to Implement Azure Ad Authentication in webforms without cookie authenticationtype ?

1 answer

Your answer