TechQA.

Is it safe to send the result of AuthenticationTokenCreateContext.SerializeTicket to the client?

545 views Asked by At

I'm struggling to find information about how sensitive is the result of Microsoft.Owin.Security.Infrastructure.AuthenticationTokenCreateContext.SerializeTicket

Ideally, I'd like to avoid storing it on the server, and instead just send it to the client (as a token) so that I can deserialize it in AuthenticationTokenProvider.ReceiveAsync

Do I need to encrypt it? Is it a problem to send it to the client even after encryption?

All implementations I've seen store this ticket server side, and only send an identifier to the client. I don't know if there is a reason not to send the ticket itself?

c# asp.net owin refresh-token
Original Q&A
1

There are 1 answers

0
youen On BEST ANSWER

I ended up storing the tickets on the server, and only sending an identifier to the clients.

After thinking a bit more, I found the following advantages with this method:

  • Clients can still use the ticket (by sending back the identifier)
  • Tickets can be invalidated server-side (by deleting them from the database), for example when the user password is changed
  • There is no more issue of knowing what data is sensitive or not (the ticket always stays on the server)
  • It prevents ticket forgery (ticket identifiers are random Guids in my implementation)

Related Questions in C#

Related Questions in ASP.NET

Related Questions in OWIN

Related Questions in REFRESH-TOKEN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions