asp.net core - How to change default name of OpenID Connect middleware (nonce and correlation) cookies -


i'm using 2 asp.net core middlewares openid connect , cookie authentication below:

app.usecookieauthentication(new cookieauthenticationoptions {     authenticationscheme = "cookie",     cookiename = "clientcookiename",     cookiehttponly = true,     cookiesecure = _hostingenvironment.isdevelopment() ? cookiesecurepolicy.sameasrequest : cookiesecurepolicy.always,     automaticauthenticate = true,     automaticchallenge = false,     expiretimespan = timespan.fromminutes(60) });  var oidcoptions = new openidconnectoptions {     authenticationscheme = "oidc",     signinscheme = "cookie",                     ... }; app.useopenidconnectauthentication(oidcoptions); 

during login in web application results in default cookies related nonce , correlation (exported browser developer tools):

{     "domain": "localhost",     "expirationdate": 1478762475.872038,     "hostonly": true,     "httponly": true,     "name": ".aspnetcore.openidconnect.nonce.cfdj...ihrrfqid0rw",     "path": "/",     "samesite": "no_restriction",     "secure": false,     "session": false,     "storeid": "0",     "value": "n",     "id": 1   },   {     "domain": "localhost",     "expirationdate": 1478762474.872093,     "hostonly": true,     "httponly": true,     "name": ".aspnetcore.correlation.oidc.apx...xlcfhuc...hcq8",     "path": "/",     "samesite": "no_restriction",     "secure": false,     "session": false,     "storeid": "0",     "value": "n",     "id": 2   } 
  1. what responsibility of these cookies?
  2. how change cookiename of these cookies?
  3. will changing cookiename of these cookies have consequences in other place?

what responsibility of these cookies?

the correlation , nonce cookies respectively used prevent xsrf/session fixation attacks , replay attacks. essential part of security checks used openid connect middleware.

how change cookiename of these cookies?

you can't. in both cases, cookie name not configurable (it's prefixed hardcoded part).

the relevant code can found here:


Comments

Popular posts from this blog

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

asp.net - Problems sending emails from forum -