Constants.CorrelationPrefix in GenerateCorrelationId and ValidateCorrelationId

Sep 17, 2014 at 11:42 AM
Hello guys and well done on the excellent owin framework.

I have been working with it since the early beginning. I am currently about to add it in a ebanking solution and I have spotted that the correlation cookie that is used to prevent the oAuth CSRF is named ".AspNet.Correlation." + AuthType. This is something that will not pass the penetration testing due to the .aspnet prefix. Is it possible to modify the AuthenticationHandler to add a public property which will default to this constant but will also allow me to specify my own unique prefix that doesn't disclose the framework?

Thanks in advance,
Sep 17, 2014 at 4:46 PM
It might be possible. I think you'd have to add the property to the AuthenticationOptions base class. You can open a work item for futher evaluation.

Feel free to submit a pull request. Alternatively you could compile it yourself locally.