So I’ve gotten used to using my Identity Nameidentitfier as the main way to identify a user between networks and users, however, my boss told me some days ago he mostly uses the Nameidentifier as the “unencrypted” key in his cookies for re-authenticating identities (that I see as a major security risk). However, that got me thinking, how secure is it to use the NameIdentifier openly?
My guess is the main concern is if the private keys get leaked, that a person can forge the authentication for a user if the ids are accessible to all?
As I know some people will comment about the unencrypted Authentication key. I am not developing the same system as my boss, so I am not using any unencrypted ReAuthentication Methods (As I just use the safer CookieAuthentication instead).
You are trying to make a secure scheme under which the private key can get leaked and it would still be secure?
Yes, is the build in token authentications in asp.net core (like cookie, jwt, etc) safe to use that way?
Your boss is doing something dumb.
C# devs
null reference exceptions