Aurelio Rama Aurelio Rama - 1 year ago 178
ASP.NET (C#) Question

ASP.Net Identity ASPNET.ApplicationCookie looks different when I inspect it

I've been trying to find a clear answer as to why I'm seeing this behavior. I'm using the Microsoft ASP.NET Identity template project to just see how Identity, OWIN, etc works. I'm noticing that every time I make a request (go to Contact, Manage, etc). My AspNet.ApplicationCookie has a different encrypted string (when using developer tools on Chrome or IE). At first I thought it's maybe because I didn't put any claims for the user, but I tried adding some claims and still saw the same behavior. Has anyone seen/know why? Is it just the encrypted cookie changes because of how the OWIN middleware encrypts the cookie? Any help is greatly appreciated.

I read


but neither really gets to exactly why I might see the behavior I'm seeing. Thanks again everyone.

Here's my startup.Auth.cs

public void ConfigureAuth(IAppBuilder app)

// Configure the db context, user manager and signin manager to use a single instance per request

// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions

AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
LogoutPath = new PathString("/Account/LogOff"),
Provider = new CookieAuthenticationProvider
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

// these two lines of code are needed if you are using any of the external authentication middleware
app.Properties["Microsoft.Owin.Security.Constants.DefaultSignInAsAuthenticationType"] = "ExternalCookie";
app.UseCookieAuthentication(new CookieAuthenticationOptions
AuthenticationType = "ExternalCookie",
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,

// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.

Answer Source

Your issue is in line with validateInterval: TimeSpan.FromMinutes(0), Here you effectively say "regenerate cookie on every request` - this is for global cookie invalidation when security stamp is changed.

Set validateInterval to be couple minutes - you won't get the cookie invalidated on every request, only every however minutes you set it to be.