Reputation: 1309
Avoid session cookies in Asp.NET Core 2.2 + IdentityServer
I've been playing with Asp.NET Core 2.2 and Identity, using examples explained here. In particular I'm using the StsServer app which allows a user to authenticate using OpenID Hybrid flow or Windows authentication.
What I have seen is that it stores: 
- 3 session cookies if user identity is not remembered
- 2 session cookies + 1 cookie if the user identity is remembered when the browser is reopened
Is there a way to avoid such cookies?
Thanks,
Upvotes: 2
Views: 2191
Answers (1)
Reputation: 239430
The .AspNetCore.AntiForgergy cookie is not a session cookie. It's for CSRF. The .AspNetCore.Identity cookie is also not a session cookie. It's the auth cookie that persists the user's authenticated state when using Identity and Identity Server backed by ASP.NET Core Identity. Finally, the idsrv.session cookie is from Identity Server, and is used for OIDC session management, which is not a "session" in the sense you're probably thinking of. It's there to support maintaining the authenticated state, as well.
Long and short, they each have a specific purpose and you need all of them.
Upvotes: 6
Related Questions
- ASP.NET Core Identity & Cookies
- How to create Cookieless Session in .Net Core?
- ASP.NET Core 2.1 Cookie Persistence
- ASP.NET Core MVC Session Auth cookies
- Cookie Authentication ASP.NET Core
- Cookie without Identity Asp.net core
- .netcore Session Secure cookie
- Identity Server 4 (2.0) not reading Asp.Net Core Identity cookies
- Authentication with Cookies in ASP.NET Core
- Working with cookie in mvc