I'm approaching a new project and I am weighing up using MVC5 and Identity thru OWIN.
I am running the scaffolding project for which provides the entity framework user database, register/ sign in etc.. No third party or two factor.
As I currently understand it, OWIN Security is based on the cookie, now, its been a few years since I have dabbled in the Web, BUT I was under the impression that identity and claims should be stored in the session.
I'm inspecting the cookie that is set when a user logs in and various claims are set. I don't actually know what the underlying framework does, and I am struggling to find out:
- are there any technical links? Not about how to implement the interfaces and setup this up, but on the security and best practices.
- What is actually in this cookie and how can I inspect with EditThisCookie what is set? as its encrypted or obfuscated?
- How is this more secure than session?
- If someone, some how got this cookie, could they basically sign in as the same user?
- Does this scale? as normally multiple front ends would talk to the same session server.
We have a lot of samples for you to get your feet wet. https://github.com/AzureADSamples
To answer some of your questions:
There is the option of using a cache and not putting the details on the wire. This requires a distributed cache, which most developers do not seem to want to do.