Question
I am currently studying the new ASPNET Identity and Owin Authentication so that I can customize it for my own use. I just created a default MVC 5 Application and came across this piece of code
https://stackoverflow.com/questions/23490435
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie); /// WHY??
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
The Question
Is there any security risk to leaving an External Cookie?
Solution
Turns out that the purpose of that line is to Deactivate the External Cookie that was gotten from the 3rd Party Provider. Since The intention is to transfer the Identity of the user from the 3rd Party to the Local Identity.
Not doing so would cause the cookie to remain valid even after the user has signed out.
