Cookies explained


Appframe auth Cookies explained

The below flow-chart outlines how the client (browser) and Appframe server interact relating to cookies.
This is mainly to describe how Appframe works related to the new SameSite requirements and CSRF attacks.

See bottom of diagram for 3 examples of how "SameSite=Lax" and only accepting "POST" request protects against CSRF.
Hover over green / red texts for extra description.

Web Browser

URL to some WebApp
that require auth.
Login page
Note! Chrome >=80 will not accept this cookie if not Secure!
SC (None)
User clicks Office 365
SC (None)
login.microsoftonline.com
User Logs in, and browser POSTS back
SC (None)
Requested page
SC (None)
AC (Lax)
Example 1:
Some appframe app
doing a POST request

SC (None)
AC (Lax)
Example 2:
Hackersite1
Webpage trying to do CSRF

SC (None)
AC (Lax)
Example 3:
Hackersite2
Webpage doing a get

SC (None)
AC (Lax)

Appframe Web server side

Valid Session + Forms Auth cookies?
LoginHandler
Session Cookie Created
Ok. Render requested page
and return to browser
LoginHandler
OpenIDConnect triggers
LoginHandler
OpenIDConnect verify
Process posted data
Some Appframe app
Got Session cookie.
Got Forms Auth cookie.
AUTHENTICATED!
returns result.
Some Appframe app (or CRUD)
Got Session cookie.
No Forms Auth cookie.
NOT AUTHENTICATED!
Throws exception.
Some Appframe app (or CRUD)
Got Session cookie.
Got Forms Auth cookie.
AUTHENTICATED!
Operation is allowed.

Related articles

Placeholder "LocalizeWeb2016" failed