samples icon indicating copy to clipboard operation
samples copied to clipboard
verified publisher icon scottbrady91

Stateful cookies not cleared.

Open johan-v-r opened this issue 4 years ago • 0 comments

Hi Scott, firstly thanks for this awesome post on Legacy ASP.NET & PKCE!

In that article you mention:

// remember code verifier in cookie (adapted from OWIN nonce cookie)

https://github.com/scottbrady91/Blog-Example-Classes/blob/7f30cee656ddb1b6cd68483a5447dcf10f2d1afc/AspNetFrameworkPkce/ScottBrady91.BlogExampleCode.AspNetPkce/Startup.cs#L129

I'm curious why the cookie's key is somewhat stateful/dynamic..? The problem I'm seeing is when the user refreshes, it creates new nonce & cv cookies, leaving the old ones orphaned. This could eventually cause the request header to grow too big.

Do you see any issue with changing this cookie key to something constant like OpenIdConnect.cv.foo?

johan-v-r avatar Mar 08 '21 09:03 johan-v-r