Tutorials ASP.NET Core Complete Tutorial (ShopNest)

Authentication in ASP.NET Core — Cookie and JWT

Learn Authentication in ASP.NET Core — Cookie and JWT in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

On this page
Authentication in ASP.NET Core — Cookie and JWT — ShopNest
Article 30 of 75 · Module 4: Authentication & Security · ShopNest SaaS Login System
Target keyword: authentication asp.net core jwt · Read time: ~31 min · .NET: 8 / 9 · Project: ShopNest SaaS Login System

Introduction

Authentication answers "who are you?" — Authorization (Article 31) answers "what can you do?". ShopNest SaaS uses cookie auth for the web app and JWT for mobile/API clients.

After this article you will

  • Distinguish authentication from authorization clearly
  • Configure cookie auth with sliding expiration
  • Generate and validate JWT tokens
  • Understand ClaimsPrincipal and [Authorize]
  • Configure security headers (HSTS, X-Frame-Options)

Prerequisites

Concept deep-dive

AuthenticationAuthorization
QuestionWho is this user?Can they access this resource?
ShopNest exampleLogin form / JWT[Authorize(Roles="Admin")]

JWT structure

header.payload.signature — payload contains claims (sub, email, roles); signature verified with secret key.

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidIssuer = config["Jwt:Issuer"],
        ValidAudience = config["Jwt:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(config["Jwt:Key"]!))
    };
});

Claims: User.FindFirst(ClaimTypes.Email)?.Value — identity is ClaimsPrincipal.

Security headers: app.UseHsts(), UseXContentTypeOptions, frame options via middleware.

Hands-on — ShopNest SaaS Login System

  1. Cookie auth for MVC storefront (Identity from Article 29).
  2. JwtTokenService generates token on /api/auth/login.
  3. API ProductsController with [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)].
  4. Remember me: cookie IsPersistent = true with longer ExpireTimeSpan.

Common errors & best practices

  • JWT secret in appsettings committed to Git — use User Secrets / Key Vault.
  • Confusing 401 vs 403 — 401 not authenticated; 403 authenticated but denied.
  • Not validating issuer/audience — tokens from other apps accepted.

Interview questions

Q: Cookie vs JWT?
A: Cookie for browser same-site sessions; JWT for SPA/mobile stateless APIs.

Q: What is a claim?
A: Key-value pair in token/cookie representing user facts (name, role, permission).

Q: Sliding expiration?
A: Cookie lifetime extends on activity — user stays logged in while active.

Summary

  • Authentication establishes identity; authorization checks permissions
  • Cookies for ShopNest web; JWT for SaaS API clients
  • Validate JWT issuer, audience, lifetime, and signature
  • Security headers harden browser behavior

Previous: ASP.NET Core Identity
Next: Authorization — Roles, Policies, Claims

FAQ

Multiple auth schemes?

Specify scheme on [Authorize] or endpoint — Cookie default for MVC, JWT for /api.

SSO intro?

External IdP (Azure AD) issues tokens — OAuth/OIDC in Article 33.

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

ASP.NET Core Complete Tutorial (ShopNest)
Course syllabus
Module 1: Foundations
Module 2: Entity Framework Core
Module 3: Dependency Injection & Middleware
Module 4: Authentication & Security
Module 5: Web API
Module 6: Advanced Architecture
Module 7: Testing
Module 8: Deployment & DevOps
Module 9: Real-World Projects
Module 10: Advanced Topics
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details