- Introduction to .NET
- .NET - What is .NET?
- .NET - History and Evolution of .NET
- .NET - Ecosystem Overview
- .NET - Installing Visual Studio and Setting Up Environment
- .NET - Your First .NET Application (Console App)
- .NET - Understanding .NET CLI
- C# Fundamentals
- C# - Syntax and Structure
- C# - Data Types and Variables
- C# - Operators and Expressions
- C# - Control Statements (if, switch, loops)
- C# - Methods and Parameters
- C# - Exception Handling in C#
- C# - File Handling in C#
- C# - Collections and Generics
- Object-Oriented Programming in C#
- C# - Classes and Object
- .NET Authentication and Authorization
- .NET - Identity in ASP.NET Core
- .NET - Cookie Authentication
- .NET - JWT Authentication
- .NET - Role-Based and Policy-Based Authorization
- .NET - Securing Web APIs
- .NET Core Libraries and Tools
- .NET - Using NuGet Packages
- .NET - Logging in .NET Core
- .NET - Configuration Management (appsettings.json)
- .NET - Globalization and Localization
- .NET - Working with DateTime and TimeZones
- .NET - Working with JSON in .NET
- Popular Real-World Projects
- .NET - Build a URL Shortener with ASP.NET Core
- .NET - Build a Blog System with ASP.NET Core and EF Core
- .NET - Build a REST API for Task Management
.NET - Cookie Authentication
Cookie Authentication in .NET
Cookie authentication in .NET, especially in ASP.NET Core, is a fundamental mechanism for managing user sessions and securing web applications. It stores authentication tickets inside browser cookies to track authenticated users. In this tutorial, you will learn how cookie authentication works in .NET, how to implement it step-by-step, and how to secure it properly.
What is Cookie Authentication in .NET?
Cookie Authentication is a technique where a server creates a cookie containing the user's login credentials (typically encrypted) and sends it to the client. The client then sends this cookie back to the server with every request, allowing the server to validate the user session.
Key Features of Cookie Authentication
- Session persistence using browser cookies
- Built-in support in ASP.NET Core middleware
- Integration with ASP.NET Core Identity
- Support for sliding expiration and absolute expiration
Why Use Cookie Authentication?
Here are some reasons why cookie-based authentication is widely used in ASP.NET Core applications:
- Works well for web applications where the client is a browser
- Simple to implement and manage
- Built-in support in .NET security stack
- Persistent login support
Setting Up Cookie Authentication in ASP.NET Core
To implement cookie authentication in ASP.NET Core, you need to configure services and middleware properly. Below are the steps with complete code examples.
Step 1: Configure Services in Program.cs or Startup.cs
builder.Services.AddAuthentication("MyCookieAuth")
.AddCookie("MyCookieAuth", options =>
{
options.Cookie.Name = "MyAppAuthCookie";
options.LoginPath = "/Account/Login";
options.AccessDeniedPath = "/Account/AccessDenied";
options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
options.SlidingExpiration = true;
});Step 2: Add Middleware
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();Step 3: Create Login Logic
After validating the user, issue the authentication cookie using SignInAsync.
public async Task Login(UserLoginModel model)
{
if (ModelState.IsValid && ValidateUser(model))
{
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, model.Username),
new Claim("FullName", "John Doe"),
new Claim(ClaimTypes.Role, "Administrator")
};
var claimsIdentity = new ClaimsIdentity(claims, "MyCookieAuth");
var authProperties = new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(20)
};
await HttpContext.SignInAsync("MyCookieAuth", new ClaimsPrincipal(claimsIdentity), authProperties);
return RedirectToAction("Index", "Home");
}
return View(model);
} Step 4: Creating Logout Action
public async Task<IActionResult> Logout()
{
await HttpContext.SignOutAsync("MyCookieAuth");
return RedirectToAction("Login", "Account");
}Protecting Routes with Authorization
You can protect controllers or actions using the [Authorize] attribute.
[Authorize]
public class DashboardController : Controller
{
public IActionResult Index()
{
return View();
}
}Role-Based Authorization
[Authorize(Roles = "Administrator")]
public IActionResult AdminPanel()
{
return View();
}Securing Cookie Authentication
To enhance the security of your authentication cookies:
- Use HTTPS to encrypt cookies in transit
- Set HttpOnly and Secure flags on cookies
- Enable expiration and sliding expiration
- Use SameSite to prevent CSRF attacks
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.SameSite = SameSiteMode.Strict;Cookie Authentication vs JWT
| Feature | Cookie Authentication | JWT Authentication |
|---|---|---|
| Storage | Stored in browser cookies | Stored in local/session storage or cookies |
| Statefulness | Server-side stateful | Stateless |
| Use Case | Browser-based web apps | Mobile apps, SPAs, APIs |
Sliding Expiration
Sliding expiration resets the cookie expiration time on each request before it expires, keeping active users logged in.
options.SlidingExpiration = true;Handling Access Denied
You can redirect users to a custom access denied page:
options.AccessDeniedPath = "/Account/AccessDenied";AccessDenied Action
public IActionResult AccessDenied()
{
return View();
}Using Claims for User Identity
Claims store user-specific data such as roles, email, or full name:
new Claim(ClaimTypes.Email, "user@example.com"),
new Claim("FullName", "Jane Smith")Common Pitfalls and Fixes
Issue: Authentication Not Working
Make sure the middleware is in the correct order:
app.UseAuthentication();
app.UseAuthorization();Issue: Cookie Not Set
Ensure HTTPS is used and domain/path settings are correct.
Testing Cookie Authentication
You can test cookie behavior using browser dev tools under the Application β Cookies tab. Check for the presence of the cookie name you configured.
Real-World Example of Cookie Authentication
Authentication Flow
- User accesses login page
- Login form posts credentials to server
- Server validates user and sets auth cookie
- User navigates site with cookie automatically sent
- User logs out and server deletes the cookie
Cookie authentication in .NET is a powerful and efficient way to manage user sessions in browser-based applications. It offers flexibility, performance, and integration with the .NET security ecosystem. By following best practices and understanding the configuration, you can build secure and scalable ASP.NET Core applications.
This tutorial has covered everything from basic setup to advanced security and troubleshooting for cookie authentication in .NET.
