0

How can I use System.Security.Cryptography to decrypt ASP.NET Identity2 OWIN cookie?

I tried ProtectedData.Unprotect(), but turns out that it doesn't take OWIN middleware into account. I know I CAN use System.Web.Security.MachineKey.Unprotect(), but I would very much like to leave the System.Web.Security out of the project and just use System.Security.

trailmax
  • 34,305
  • 22
  • 140
  • 234
OzrenTkalcecKrznaric
  • 5,535
  • 4
  • 34
  • 57
  • Why do you need to unprotect it? – trailmax Jan 13 '17 at 23:11
  • I have two projects: a web project with custom ASP.NET Identity v2 set up (actually Identity core without Entity framework), and the other one which is a console application project. The console application should be a user management application - should be able to delete user, add user, change password, verify password etc. And I don't want to stuff it with unneccesary dependencies. – OzrenTkalcecKrznaric Jan 14 '17 at 13:50
  • So why do you need to decrypt cookies? They don't come close to what you describe. Passwords are hashed, not protected. And passwords don't go into cookies. – trailmax Jan 14 '17 at 14:52
  • Ok, in short: use teamviewer, connect to the desktop of user having trouble with authentication (he's watching all of it), use ie. edit-this-cookie plugin to get the cookie, copy/paste it to the local computer, feed it to the console application to validate against the database. I hope this is clear now. I KNOW there is no password in the cookie, but there should be a hash to validate against my own database (along with claims and other auth stuff). So, is there a way to use ProtectedData.Unprotect() to do this? – OzrenTkalcecKrznaric Jan 14 '17 at 15:13
  • Sounds like a lot of work. If user can't login, they would not have a cookie to decrypt. If they have trouble with resource access when they have passed the login screen - you can see what they see by [user impersonation](http://stackoverflow.com/q/24161782/809357) – trailmax Jan 14 '17 at 19:46
  • Also password hash is not in the cookie either (you comment sounds like you hope for it, please excuse me if I read you incorrectly). Cookie contains user ID, security stamp, roles, claims and few other framework-related things. – trailmax Jan 14 '17 at 19:48

0 Answers0