Is it safe to send the result of AuthenticationTokenCreateContext.SerializeTicket to the client?

525 views Asked by At

I'm struggling to find information about how sensitive is the result of Microsoft.Owin.Security.Infrastructure.AuthenticationTokenCreateContext.SerializeTicket

Ideally, I'd like to avoid storing it on the server, and instead just send it to the client (as a token) so that I can deserialize it in AuthenticationTokenProvider.ReceiveAsync

Do I need to encrypt it? Is it a problem to send it to the client even after encryption?

All implementations I've seen store this ticket server side, and only send an identifier to the client. I don't know if there is a reason not to send the ticket itself?

1

There are 1 answers

0
youen On BEST ANSWER

I ended up storing the tickets on the server, and only sending an identifier to the clients.

After thinking a bit more, I found the following advantages with this method:

  • Clients can still use the ticket (by sending back the identifier)
  • Tickets can be invalidated server-side (by deleting them from the database), for example when the user password is changed
  • There is no more issue of knowing what data is sensitive or not (the ticket always stays on the server)
  • It prevents ticket forgery (ticket identifiers are random Guids in my implementation)