Is it safe to send the result of AuthenticationTokenCreateContext.SerializeTicket to the client?

Question

I'm struggling to find information about how sensitive is the result of Microsoft.Owin.Security.Infrastructure.AuthenticationTokenCreateContext.SerializeTicket

Ideally, I'd like to avoid storing it on the server, and instead just send it to the client (as a token) so that I can deserialize it in AuthenticationTokenProvider.ReceiveAsync

Do I need to encrypt it? Is it a problem to send it to the client even after encryption?

All implementations I've seen store this ticket server side, and only send an identifier to the client. I don't know if there is a reason not to send the ticket itself?

Answer 1

I ended up storing the tickets on the server, and only sending an identifier to the clients.

After thinking a bit more, I found the following advantages with this method:

• Clients can still use the ticket (by sending back the identifier)
• Tickets can be invalidated server-side (by deleting them from the database), for example when the user password is changed
• There is no more issue of knowing what data is sensitive or not (the ticket always stays on the server)
• It prevents ticket forgery (ticket identifiers are random Guids in my implementation)