Is there a way to have MANY claims?

Jul 30, 2014 at 1:22 PM
I'm working on a prototype of a MVC system where access to actions relies on having a right claim. We'll mark every action with a claim. The problem that we have 800+ actions in the system.
And the bigger the number of claims, the bigger the authentication cookie in the browser.
And cookie size is limited to 4Kb. So once we hit enough claims (about 400), cookie is ignored by a browser and user can't login.

Is there a better way to preserve claims on user rather than in a cookie? like have it in a session or cache?
Jul 30, 2014 at 5:54 PM
You can look into the Katana cookie middleware release 3.0.0-rc1 that lets you do cookie chunking and also send a cookie reference instead of the entire cookie for cookie sizes greater than 4K.
Jul 30, 2014 at 11:33 PM
Yes, I've done some digging and found ChunkingCookieManager
This nicely breaks the cookies into 4K sizes and adds another cookie with a number of chunks available.
And this is even available through nuget:

However, it will be very wasteful to send 4-12Kb of cookies with every request. And the application I work with is heavy on small AJAX calls: the body of ajax calls are 50bytes, cookies are 10Kb.

Another limitation I have found is how much header size I can have in IIS: various sources indicate that IIS by default does not take more than 16Kb of headers. Anyway, this is an insane size of headers/cookies. And I would like to skip storing claims in the cookie.

You mention "cookie reference", I'm not sure what you refer to here. Any more details on that please?
Jul 31, 2014 at 5:46 AM
If you need to have 800+ claims on the users then you can look at hooking in the callback in the cookie middleware that is called after the ClaimsPrincipal has been created for the request from the cookie. Here you can set the claims on the user, based on a certain unique claim which is sent in the cookie for the user.

Cookie reference mode is the new feature in cookie middleware where you can store the large cookie in a persistence at the server and send a unique reference for this in the response cookie. When the cookie is read in the next subsequent requests, the reference is used to load the actual cookie from the persistence and populate all the claims on the ClaimsPrincipal. The below class implements a sample cookie store
Jul 31, 2014 at 4:22 PM
Cookie reference sounds cool. The only problem it is in beta and I rather not use beta version in production system. (Any idea when Owin 3.0 will be released?).

The callback on Cookiemiddleware? Did you mean
with something like this as implementation: This sounds like the solution to my problem.

Or there is something else available?
Jul 31, 2014 at 8:58 PM
I am not aware of the 3.0 release timelines so sorry about that

Yeah you can hook on to the OnValidateIdentity callback. Let me know if that worked for you
Marked as answer by trailmax on 8/1/2014 at 4:58 PM
Aug 1, 2014 at 11:58 PM
Suhasj, thanks for your help. I've got the issue sorted.

I keep all authorisation claims on a Role (that 600+ claims can only be assigned to a role). Treat roles as user-groups in AD.
And then OnValidateIdentity adds these claims to the user on every request:

And then AuthorisationFilter checks if user can access the MVC action:

This is a working prototype. Now due to implement this on the bigger scale. But I think most of the challenges are over.