0

I am trying to implement bearer token based validation with using Authorize attribute on a controller in MVC6.

I am following this post: Token Based Authentication in ASP.NET Core

One guy put whatis written in the post above to: https://github.com/mrsheepuk/ASPNETSelfCreatedTokenAuthExample

Based on this example. if client sends request to server to specific controller that is decorated with Authorize attribute, Authorize attribute will check request header called authorization and if this header will have valid token then the request will pass, otherwise request will be denied (correct me here if im wrong)

What I want to do here is I want to send the token not in authorization header, but in a cookie and take that token from cookie and validate it while still using authorization attribute on a controller.

How should I do this, I was looking at a new asp.net 5 feature authorization policies, but seems that they do not have what I need. Is there a way to do this?

Community
  • 1
  • 1
Jaunius Eitmantis
  • 211
  • 2
  • 11

1 Answers1

1

You would have to write your own authentication middleware for this, which isn't exactly a fun exercise.

You'd also have to consider how to get the token into a cookie, and how to secure that cookie properly. Having a raw token in a cookie that is available to client side code, and which isn't, at the very least signed, is a security vulnerability waiting to happen.

blowdart
  • 55,577
  • 12
  • 114
  • 149