Chris Ross

> Instead of calling ITicketStore.StoreAsync, CookieAuthenticationHandler is calling ITicketStore.RenewAsync, with Session ID 1 While it may be counter-intuitive, renew can re-create the session with arbitrary content. Practically speaking, it will...

> 3\. Login to the second app, the browser will include the ASP.NET Core cookie saved in step 2. This would only happen if both apps were on the same...

You can update your Newtonsoft.Json dependency with a direct reference, you don't require any updates from Microsoft.Owin. This is common practice for patching.

Then the tool isn't checking what you're actually using, just what some dependencies have referenced. You're fine if you've updated the dependency locally.

? I thought project.assets.json was only for .NET Core projects.

No, you'd have to convince @adityamandaleeka that it's urgent.

That's odd. Can you attach the debugger and step into that call? You should end up here: https://github.com/aspnet/AspNetKatana/blob/ab378cfef173dd88c513fc037dec34c6e96b0178/src/Microsoft.Owin.Host.SystemWeb/OwinCallContext.Environment.cs#L216

This is coming from IIS, it's not an OWIN specific issue. I'm told the value is only available when ETW tracing is enabled in IIS.

The OIDC token is used to log into your app. However once you're logged in you are then working with the local cookie auth, not the token. When UseTokenLifetime is...

No it doesn't.