0

I have created the code below to enable authentication on my ASP.NET CORE 3.1 site that is not using full blown Identity framework but instead just UseAuthentication in startup.

Startup.cs cookie settings:

            services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(cookieOptions => {
            cookieOptions.Cookie.Name = "UserLoginCookie";
            cookieOptions.LoginPath = "/Login/";
            cookieOptions.ExpireTimeSpan = TimeSpan.FromMinutes(1);
            cookieOptions.SlidingExpiration = true;
        });

        services.AddRazorPages().AddRazorPagesOptions(options => {
            options.Conventions.AllowAnonymousToFolder("/Login");
            options.Conventions.AuthorizeFolder("/");
        });

The indexmodel for my razor login page utilized the following cookie related code:

                var claims = new List<Claim>
                {
                    new Claim(ClaimTypes.Name, UserName)
                };
                var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

                if (RememberMe)
                {
                    await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
                        new ClaimsPrincipal(claimsIdentity),
                        new AuthenticationProperties
                        {
                            IsPersistent = RememberMe,
                            ExpiresUtc = DateTimeOffset.UtcNow.AddDays(30)
                        });
                }
                else
                {
                    await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
                        new ClaimsPrincipal(claimsIdentity));
                }
                return RedirectToPage("/index");

I allow the user to select remember me or not on the login page and if they do then it creates a persistent cookie. Therefore, if the user selects this option and leaves the site they are not required to login in again as long as the cookie has not expired. My question is can a cookie only store the username such that if the user leaves the site/closes the browser they must login again but the username is stored in the login form from the cookie? If this is possible is there a secure way to implement this using a hash and salt with the username stored in the cookie?

If this is not possible does the current method I am using for authentication securely hash the username and password by default or do I need to do some additional settings for this? When i look into the browser application tab for the cookies it looks to be hashed but not sure what sure to what extent the hash is being secured with. Any insight on this would be great.

Irish Redneck
  • 983
  • 7
  • 32
  • Why not just skip "Remember me" and let browser remember username and password for each user? – Roar S. Nov 29 '20 at 17:22
  • You can see this [thread](https://stackoverflow.com/questions/15219039/hashing-user-password-in-cookie),may it helpful. – Yinqiu Nov 30 '20 at 06:45
  • How do I allow the Browser to do remember me? Anything to do on my end codewise? For some reason that never pops up for my application when its running in the IIS Express for testing. – Irish Redneck Nov 30 '20 at 14:12

0 Answers0