Where does ASP.Net Core `cookies authentication` store a reference to that cookie?

Question

Sometimes I used to see PHP developers passing an Id in their cookies, and save a reference in the database to that cookie (so they can authenticate the users by cookies). But in ASP.Net Core, I have never seen that.

How and where does ASP.Net Core know that this cookie is owned by this user? Is everything stored in memory (in some kind of objects)?

In case of yes, does that mean that the users should be logged in again if I restarted my application? Or is there any method that ASP.Net Core provides to persist the references to cookies even after restarting the application?

Answer 1

The ClaimsPrincipal is serialized, encrypted and sent to the client as a cookie. Once a cookie is created, it becomes the single source of identity. When the client makes a request it sends the cookie, which the server decrypts (which serves as validation) and deserializes into the HttpContext.

Answer 2

The only thing that the server needs to store is the decryption key, which it stores as a Data Protection key. As per the docs, keys are persisted to these locations:

If the app is hosted in Azure Apps, keys are persisted to the %HOME%\ASP.NET\DataProtection-Keys folder. This folder is backed by network storage and is synchronized across all machines hosting the app.

If the user profile is available, keys are persisted to the %LOCALAPPDATA%\ASP.NET\DataProtection-Keys folder. If the operating system is Windows, the keys are encrypted at rest using DPAPI.