Share via

asp.net core mvc and cookie based auth and few related queries

T.Zacks 3,996 Reputation points
2022-08-11T18:29:45.517+00:00

I have read this page https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0

see this code

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)  
    .AddCookie(options =>  
    {  
        options.ExpireTimeSpan = TimeSpan.FromMinutes(20);  
        options.SlidingExpiration = true;  
        options.AccessDeniedPath = "/Forbidden/";  
    });

1) what is access AccessDeniedPath ?
Forbidden is folder name ? please tell me what kind of folder is it called Forbidden ?
only protected resource will be stored in Forbidden folder ?
if i want to protect more folder than single one Forbidden then how can i mention here?

see this code
var cookiePolicyOptions = new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.Strict,
};

if i set MinimumSameSitePolicy then what will happen ? if not set then what will happen when cookies will drop in user pc ?
many web site ask permission to allow save cookie in user pc. does the above code should any message to user ?
MinimumSameSitePolicy objective not clear. when i need to use MinimumSameSitePolicy property?
please guide me.

see this code

if (!app.Environment.IsDevelopment())  
{  
    app.UseExceptionHandler("/Error");  
    app.UseHsts();  
}

if any exception occur when site run from IDE then user will be redirected to Error controller or Error action?
what is app.UseHsts(); ?

see this code

var authProperties = new AuthenticationProperties  
        {  
            //AllowRefresh = <bool>,  
            // Refreshing the authentication session should be allowed.  

            //ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(10),  
            // The time at which the authentication ticket expires. A   
            // value set here overrides the ExpireTimeSpan option of   
            // CookieAuthenticationOptions set with AddCookie.  

            //IsPersistent = true,  
            // Whether the authentication session is persisted across   
            // multiple requests. When used with cookies, controls  
            // whether the cookie's lifetime is absolute (matching the  
            // lifetime of the authentication ticket) or session-based.  

            //IssuedUtc = <DateTimeOffset>,  
            // The time at which the authentication ticket was issued.  

            //RedirectUri = <string>  
            // The full path or absolute URI to be used as an http   
            // redirect response value.  
        };  

        await HttpContext.SignInAsync(  
            CookieAuthenticationDefaults.AuthenticationScheme,   
            new ClaimsPrincipal(claimsIdentity),   
            authProperties);

OR

    await HttpContext.SignInAsync(  
        CookieAuthenticationDefaults.AuthenticationScheme,  
        new ClaimsPrincipal(claimsIdentity),  
        new AuthenticationProperties  
        {  
            IsPersistent = true  
        });

when to use AuthenticationProperties class ?
why all properties of AuthenticationProperties class is commented ?
a) what is AllowRefresh ? does it sliding expiration ?
b) what RedirectUri does ?

How to store custom information in cookies and read later? do i need to store custom info into claims?

looking for answer for all my points. thanks in advance.

Developer technologies | ASP.NET | ASP.NET Core
0 comments
Accepted answer
  1. AgaveJoe 30,126 Reputation points
    2022-08-11T20:17:59.9+00:00

    1) what is access AccessDeniedPath ?

    The AccessDeniedPath option allows you to send a 302 (redirect) to the browser rather than a 403 (Forbidden). The path is the action URL so you can return a friendly message.

    if i set MinimumSameSitePolicy then what will happen ?

    This is a fairly broad subject with history and thoroughly covered in the official documentation. Read the docs first and if you still have questions then ask.

    Work with SameSite cookies in ASP.NET Core

    if any exception occur when site run from IDE then user will be redirected to Error controller or Error action?

    If any error happens and the environment is NOT development, then you get to return a friendly message to the user.

    Use multiple environments in ASP.NET Core

    what is app.UseHsts(); ?

    It sets the Strict-Transport-Security response header which tells the browser to use HTTPS for any HTTP requests.

    HstsBuilderExtensions.UseHsts(IApplicationBuilder) Method
    Strict-Transport-Security

    when to use AuthenticationProperties class ?

    The comments clearly explain the options and the options are very easy to lookup. Start with the docs or perhaps paly with the options in a test application.

    why all properties of AuthenticationProperties class is commented ?

    It's just an example of common options with descriptions of what the options do.

    How to store custom information in cookies and read later? do i need to store custom info into claims?

    The code sample illustrates this. I'm not sure what you do not understand. The claims are part of a token. The token is encrypted and cached in the authentication cookie. On each request the cookie authentication API read the the token and populates a Principal object. The Principal is what the [Authorize] attribute look to to determine access to a secured resource. I explained this process in your other thread.

    Claims-based authorization in ASP.NET Core

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.