Authentication & Authorization in .NET

Authentication looks simple until you read the audit report. The login flow worked, the logout button responded, the session cookie had a tick next to “Secure” — and the penetration tester still walked through the admin panel because the token never actually expired. The articles in this collection treat ASP.NET Core authentication as the layered system it is, where every default is a decision and most of those decisions are wrong for production.

The cookie-versus-JWT split runs through several articles. Cookies bind a session to the server’s data protection keyring, which means invalidation is possible but only if the keyring is shared correctly across instances. JWTs cannot be revoked without external state, which is fine for short-lived access tokens and a security incident in waiting for everything else. The articles cover when each scheme fits and which configuration knobs — SlidingExpiration, AbsoluteExpiration, RefreshOnIssue — actually do what their names suggest.

Entra ID and Azure AD B2C content goes through the OpenID Connect handler with the assumption that the defaults need scrutiny. Audience and issuer validation that fails silently when a key rolls. Token caching that holds expired claims because OnTokenValidated was wired to a stale lookup. Conditional access policies that enforce MFA at the identity provider and are bypassed by a direct API call against a stale refresh token.

Session lifecycle articles cover what the logout button actually has to do. Cookie removal alone leaves a JWT valid until expiry; signing out of Entra ID alone leaves the cookie warm. The right shutdown is a sequence — local sign-out, OIDC end_session_endpoint, refresh-token revocation — and most implementations stop at step one.

For the broader access-control vocabulary, see RBAC and the ISO/IEC standards tag. The recurring point: authentication that compiles is not authentication that holds.

Security Cosplay: Your Password-Only Admin Panel Isn't Fooling Anyone

Security Cosplay: Your Password-Only Admin Panel Isn't Fooling Anyone

Username and password for admin access? That’s not security, that’s security cosplay. You’re wearing the costume without any of the actual protection. One leaked credential and attackers walk right through your front door. Azure AD B2C with conditional MFA ends the costume party: risk-based authentication that only challenges when it matters. View a dashboard? Password’s fine. Delete production data? Prove you’re really you.
Your Logout Button Is Lying: ASP.NET Session Security Done Right

Your Logout Button Is Lying: ASP.NET Session Security Done Right

That StackOverflow answer suggesting Session.Timeout = Int32.MaxValue for “better UX”? It’s how security becomes checkbox theater. Sessions that never expire, logout buttons that don’t invalidate tokens, cookies transmitted over HTTP—auditors catch these patterns immediately. Here’s how to configure ASP.NET Core authentication that actually works.
Cookie Banners Won't Save You From ISO 27701

Cookie Banners Won't Save You From ISO 27701

That boolean column you call “consent”? Regulators will laugh at it.

ISO 27701 demands granular, auditable, expiring consent, not cookie theater. Here’s the complete .NET implementation with Entity Framework Core, middleware validation, and Azure Functions that survives an audit.

Your [Authorize] Attribute Is Compliance Theater

Your [Authorize] Attribute Is Compliance Theater

Your [Authorize] attributes give you a false sense of security. ISO 27001 auditors see right through it.

I’ve reviewed dozens of ASP.NET Core apps that authenticate flawlessly — then scatter role strings across business logic, skip audit logs, and wonder why they fail compliance. Here’s the pattern that kills audits, and how to actually fix it.