0

I'm approaching a new project and I am weighing up using MVC5 and Identity thru OWIN.

I am running the scaffolding project for which provides the entity framework user database, register/ sign in etc.. No third party or two factor.

As I currently understand it, OWIN Security is based on the cookie, now, its been a few years since I have dabbled in the Web, BUT I was under the impression that identity and claims should be stored in the session.

I'm inspecting the cookie that is set when a user logs in and various claims are set. I don't actually know what the underlying framework does, and I am struggling to find out:

  • are there any technical links? Not about how to implement the interfaces and setup this up, but on the security and best practices.
  • What is actually in this cookie and how can I inspect with EditThisCookie what is set? as its encrypted or obfuscated?
  • How is this more secure than session?
  • If someone, some how got this cookie, could they basically sign in as the same user?
  • Does this scale? as normally multiple front ends would talk to the same session server.
4

1 回答 1

1

我们有很多样品供您亲身体验。 https://github.com/AzureADSamples

要回答您的一些问题:

这个 cookie 中到底有什么,我如何使用 EditThisCookie 检查设置了什么?身份验证成功后,用户身份将存储在包含其身份的 cookie 中。

作为其加密或混淆?默认情况下,cookie 是加密和签名的。这比会话更安全吗?

如果有人,有些人是怎么得到这个cookie的,他们基本上可以以同一个用户身份登录吗?除非 Channel 绑定生效,否则是的。

这个规模吗?因为通常多个前端会与同一个会话服务器通信。我们发现它确实可以扩展。使用 SymmetricKey 加密,速度很快。

可以选择使用缓存而不是将详细信息放在网络上。这需要一个分布式缓存,而大多数开发人员似乎并不想这样做。

于 2015-07-08T21:16:29.277 回答