This repository was archived by the owner on Dec 13, 2018. It is now read-only.
This repository was archived by the owner on Dec 13, 2018. It is now read-only.
Changing name of correlation and nonce cookie in OpenID Connect middleware #1033
Description
I'm using the two ASP.NET Core middlewares for OpenID Connect and cookie authentication like below:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "cookie",
CookieName = "clientcookiename",
CookieHttpOnly = true,
CookieSecure = _hostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always,
AutomaticAuthenticate = true,
AutomaticChallenge = false,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
var oidcOptions = new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookie",
...
};
app.UseOpenIdConnectAuthentication(oidcOptions);
During login in the web application this results in some default cookies related to nonce and correlation which look like this (exported from my browser developer tools):
{
"domain": "localhost",
"expirationDate": 1478762475.872038,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.OpenIdConnect.Nonce.CfDJ...ihRRfQid0Rw",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 1
},
{
"domain": "localhost",
"expirationDate": 1478762474.872093,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.Correlation.oidc.Apx...XlCFhuc...Hcq8",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 2
}
I would like to change the CookieName of these cookies in order to make my web applications more anonymous. Why publicly expose the fact that my web applications run ASP.NET Core?
The cookie options is hard coded:
Will a change of CookieName have any consequences in some other place I'm not aware of?