brockallen
commented
9 years ago There are a few design reasons we went with the cookie. Unfortunately we don't have any other approach in place at this time.
Closed n-alex-white closed 9 years ago
brockallen
commented
9 years ago There are a few design reasons we went with the cookie. Unfortunately we don't have any other approach in place at this time.
n-alex-white
commented
9 years ago OK. We may look at alternative methods ourselves, and if we come up with a workable solution submit it back to the project - unless some of the design reasons were showstoppers for the project.
Do you happen to remember whether it was just a case of maximising browser compatibility?
brockallen
commented
9 years ago We used a cookie for security reasons -- we don't want an attacker to manipulate the data we need to send from authorization endpoint to the login endpoint.
brockallen
commented
9 years ago An alternative approach would be to issue a smaller cookie, but then you'd need to store the real data server-side (in a DB).
brockallen
commented
9 years ago Any update on what you plan to do?
n-alex-white
commented
9 years ago No decision yet - we are in the process of productionising our application using IDS3 for both OpenID Connect and WS-Fed, and then we're going to be looking at this. We've had to use reference cookies with our previous WS-Fed+ACS only solution, so we'll probably look into that option first - possibly using REDIS cache to store the data.
brockallen
commented
9 years ago Ok, I'll close this for now (since it sounds like you're a way out). If when you dig into this it seems like your approach is not terribly disruptive (which would be ideal for us) then feel free to open a PR to discuss further.
Sound ok?
n-alex-white
commented
9 years ago That sounds OK, thanks.
Search didn't reveal any other queries about this question in the issue list.
When a client hits the authorize endpoint and is redirected to login, a SignInMessage cookie is dropped (which contains contextual information about a login request, as per SignInMessage.cs model).
My concern is that this cookie is very large - one I just experimented with was 1100 characters long - and we have experienced a number of problems with mobile devices because of limits on the total size of the cookie collection on mobile Safari. Are there any options for making this available via different mechanisms such as HTML5 local storage, or as a querystring parameter?
Thanks