Microsoft.Owin.Security.Cookies

Default values related to cookie-based authentication middleware

The default value used for CookieAuthenticationOptions.AuthenticationType

The prefix used to provide a default CookieAuthenticationOptions.CookieName

The default value of the CookieAuthenticationOptions.ReturnUrlParameter

The default value used by UseApplicationSignInCookie for the CookieAuthenticationOptions.LoginPath

The default value used by UseApplicationSignInCookie for the CookieAuthenticationOptions.LogoutPath

Determines how the identity cookie's security property is set.

If the URI that provides the cookie is HTTPS, then the cookie will only be returned to the server on subsequent HTTPS requests. Otherwise if the URI that provides the cookie is HTTP, then the cookie will be returned to the server on all HTTP and HTTPS requests. This is the default value because it ensures HTTPS for all authenticated requests on deployed servers, and also supports HTTP for localhost development and for servers that do not have HTTPS support.

CookieOptions.Secure is never marked true. Use this value when your login page is HTTPS, but other pages on the site which are HTTP also require authentication information. This setting is not recommended because the authentication information provided with an HTTP request may be observed and used by other computers on your local network or wireless connection.

CookieOptions.Secure is always marked true. Use this value when your login page and all subsequent pages requiring the authenticated identity are HTTPS. Local development will also need to be done with HTTPS urls.

Extension methods provided by the cookies authentication middleware

Adds a cookie-based authentication middleware to your web application pipeline.

The IAppBuilder passed to your configuration method An options class that controls the middleware behavior The original app parameter

Adds a cookie-based authentication middleware to your web application pipeline.

The IAppBuilder passed to your configuration method An options class that controls the middleware behavior The original app parameter

Cookie based authentication middleware

Initializes a

The next middleware in the OWIN pipeline to invoke The OWIN application Configuration options for the middleware

Provides the object for processing authentication-related requests.

An configured with the supplied to the constructor.

Contains the options used by the CookiesAuthenticationMiddleware

Create an instance of the options initialized with the default values

Determines the cookie name used to persist the identity. The default value is ".AspNet.Cookies". This value should be changed if you change the name of the AuthenticationType, especially if your system uses the cookie authentication middleware multiple times.

Determines the domain used to create the cookie. Is not provided by default.

Determines the path used to create the cookie. The default value is "/" for highest browser compatability.

Determines if the browser should allow the cookie to be accessed by client-side javascript. The default is true, which means the cookie will only be passed to http requests and is not made available to script on the page.

Determines if the cookie should only be transmitted on HTTPS request. The default is to limit the cookie to HTTPS requests if the page which is doing the SignIn is also HTTPS. If you have an HTTPS sign in page and portions of your site are HTTP you may need to change this value.

Controls how much time the cookie will remain valid from the point it is created. The expiration information is in the protected cookie ticket. Because of that an expired cookie will be ignored even if it is passed to the server after the browser should have purged it

The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.

The LoginPath property informs the middleware that it should change an outgoing 401 Unauthorized status code into a 302 redirection onto the given login path. The current url which generated the 401 is added to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back to the url which caused the original unauthorized status code. If the LoginPath is null or empty, the middleware will not look for 401 Unauthorized status codes, and it will not redirect automatically when a login occurs.

If the LogoutPath is provided the middleware then a request to that path will redirect based on the ReturnUrlParameter.

The ReturnUrlParameter determines the name of the query string parameter which is appended by the middleware when a 401 Unauthorized status code is changed to a 302 redirect onto the login path. This is also the query string parameter looked for when a request arrives on the login path or logout path, in order to return to the original url after the action is performed.

The Provider may be assigned to an instance of an object created by the application at startup time. The middleware calls methods on the provider which give the application control at certain points where processing is occuring. If it is not provided a default instance is supplied which does nothing when the methods are called.

The TicketDataFormat is used to protect and unprotect the identity and other properties which are stored in the cookie value. If it is not provided a default data handler is created using the data protection service contained in the IAppBuilder.Properties. The default data protection service is based on machine key when running on ASP.NET, and on DPAPI when running in a different process.

The SystemClock provides access to the system's current time coordinates. If it is not provided a default instance is used which calls DateTimeOffset.UtcNow. This is typically not replaced except for unit testing.

The component used to get cookies from the request or set them on the response. ChunkingCookieManager will be used by default.

An optional container in which to store the identity across requests. When used, only a session identifier is sent to the client. This can be used to mitigate potential problems with very large identities.

Context passed when a Challenge, SignIn, or SignOut causes a redirect in the cookie middleware

Creates a new context object.

The OWIN request context The cookie middleware options The initial redirect URI

Gets or Sets the URI used for the redirect operation.

This default implementation of the ICookieAuthenticationProvider may be used if the application only needs to override a few of the interface methods. This may be used as a base class or may be instantiated directly.

Specifies callback methods which the invokes to enable developer control over the authentication process. />

Called each time a request identity has been validated by the middleware. By implementing this method the application may alter or reject the identity which has arrived with the request.

Contains information about the login session as well as the user . A representing the completed operation.

Called when an endpoint has provided sign in information before it is converted into a cookie. By implementing this method the claims and extra information that go into the ticket may be altered.

Contains information about the login session as well as the user .

Called when an endpoint has provided sign in information after it is converted into a cookie.

Contains information about the login session as well as the user .

Called when a Challenge, SignIn, or SignOut causes a redirect in the cookie middleware

Contains information about the event

Called during the sign-out flow to augment the cookie cleanup process.

Contains information about the login session as well as information about the authentication cookie.

Called when an exception occurs during request or response processing.

Contains information about the exception that occurred

Create a new instance of the default provider.

Implements the interface method by invoking the related delegate method

Contains information about the event

Implements the interface method by invoking the related delegate method

Contains information about the event

A delegate assigned to this property will be invoked when the related method is called

Context object passed to the ICookieAuthenticationProvider method Exception.

Creates a new instance of the context object.

The OWIN request context The middleware options The location of the exception The exception thrown. The current ticket, if any.

The code path the exception occurred in.

The exception thrown.

True if the exception should be re-thrown (default), false if it should be suppressed.

The current authentication ticket, if any. In the AuthenticateAsync code path, if the given exception is not re-thrown then this ticket will be returned to the application. The ticket may be replaced if needed.

The code paths where exceptions may be reported.

The exception was reported in the AuthenticateAsync code path.

The exception was reported in the ApplyResponseGrant code path, during sign-in, sign-out, or refresh.

The exception was reported in the ApplyResponseChallenge code path, during redirect generation.

Context object passed to the ICookieAuthenticationProvider method ResponseSignedIn.

Creates a new instance of the context object.

The OWIN request context The middleware options Initializes AuthenticationType property Initializes Identity property Initializes Properties property

The name of the AuthenticationType creating a cookie

Contains the claims that were converted into the outgoing cookie.

Contains the extra data that was contained in the outgoing cookie.

Context object passed to the ICookieAuthenticationProvider method ResponseSignIn.

Creates a new instance of the context object.

The OWIN request context The middleware options Initializes AuthenticationType property Initializes Identity property Initializes Extra property Initializes options for the authentication cookie.

The name of the AuthenticationType creating a cookie

Contains the claims about to be converted into the outgoing cookie. May be replaced or altered during the ResponseSignIn call.

Contains the extra data about to be contained in the outgoing cookie. May be replaced or altered during the ResponseSignIn call.

The options for creating the outgoing cookie. May be replace or altered during the ResponseSignIn call.

Context object passed to the ICookieAuthenticationProvider method ResponseSignOut

The options for creating the outgoing cookie. May be replace or altered during the ResponseSignOut call.

Context object passed to the ICookieAuthenticationProvider method ValidateIdentity.

Creates a new instance of the context object.

Contains the initial values for identity and extra data

Called to replace the claims identity. The supplied identity will replace the value of the Identity property, which determines the identity of the authenticated request.

The identity used as the replacement

Called to reject the incoming identity. This may be done if the application has determined the account is no longer active, and the request should be treated as if it was anonymous.

Contains the claims identity arriving with the request. May be altered to change the details of the authenticated user.

Contains the extra meta-data arriving with the request ticket. May be altered.