IdentityServer3 idsrv.partial cookie gets too big

I assume that you are using some .NET Framework clients, because all of these problems are usually connected with the Microsoft.Owin middleware, that has some encryption that causes the cookie to get this big.

The solution for you is again part of this middleware. All of your clients (using the Identity Server as authority) need to have a custom IAuthenticationSessionStore imlpementation.

This is an interface, part of Microsoft.Owin.Security.Cookies.

You need to implement it according to whatever store you want to use for it, but basically it has the following structure:

public interface IAuthenticationSessionStore
{
    Task RemoveAsync(string key);
    Task RenewAsync(string key, AuthenticationTicket ticket);
    Task<AuthenticationTicket> RetrieveAsync(string key);
    Task<string> StoreAsync(AuthenticationTicket ticket);
}

We ended up implementing a SQL Server store, for the cookies. Here is some example for Redis Implementation, and here is some other with EF DbContext, but don't feel forced to use any of those.

Lets say that you implement MyAuthenticationSessionStore : IAuthenticationSessionStore with all the values that it needs.

Then in your Owin Startup.cs when calling:

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies",
            SessionStore = new MyAuthenticationSessionStore()
            CookieName = cookieName
        });

By this, as the documentation for the IAuthenticationSessionStore SessionStore property says:

// An optional container in which to store the identity across requests. When used, // only a session identifier is sent to the client. This can be used to mitigate // potential problems with very large identities.

In your header you will have only the session identifier, and the identity itself, will be read from the Store that you have implemented

Recommended topics

Hot tags