This project has moved and is read-only. For the latest updates, please go here.

Use Google Authentication without Cookies

Jan 5, 2014 at 2:50 PM
Hello.

Is it somehow possible to use the Google authentication middleware (and others) without using cookies? I currently redirect to Google using the ChallengeResult class from the SPA template in Visual Studio 2013:
public Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
{
    Request.GetOwinContext().Authentication.Challenge(LoginProvider);
    var response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
    response.RequestMessage = Request;
    return Task.FromResult(response);
}
However, when I get redirected back from Google the only information is carried within an cookie. I'd prefer my application to stay cookie free.
Jan 5, 2014 at 3:45 PM
No, not in the current design. How else would you propose to track the user across the entire login flow?
Jan 5, 2014 at 3:53 PM
I thought of using a token in a header.

In the end I want to do it like the SPA template, just without cookies. Give the possibility to log in with different providers, compare the given provider/key-pair with my user login table and return an access token.
Jan 5, 2014 at 4:10 PM
You would just end up replicating the cookie functionality, but you'd have to manage it yourself on both the client and server. A cookie by any other name is still a cookie.
Jan 5, 2014 at 4:50 PM
Edited Jan 5, 2014 at 4:50 PM
Yes, you are right. Thank you for your quick response!

I was also wrongly assuming that it is easier to disable cookies than the local storage, but at least in Chrome it's both disabled with the same switch.
I also thought the EU cookie policy would not assume the local storage, but also here I was wrong - values stored in the local storage are also affected by the EU cookie policy.