Secure Session Management for C# Applications

Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!

Before diving into coding, review the threats that session cookies and tokens need to defend against, including session fixation, XSS-assisted cookie theft, cross-site request forgery (CSRF), and replay attacks. Additionally, you'll compare server-stored sessions with stateless JWTs to ensure the hands-on tasks align with the architectural context.

You'll create a basic ASP.NET Core MVC or minimal API project that uses the default in-memory session middleware. By default, the session cookie is sent without Secure or SameSite flags and has a timeout of 20 minutes. You'll verify these settings using curl or your browser’s DevTools.

You'll enhance the baseline by configuring secure options in AddSession and UseSession. You'll require HTTPS, set the cookie as HttpOnly, configure SameSite=Strict, and reduce the idle timeout to two minutes. You'll then re-run the test and confirm the updated flags in the browser.

You'll switch from cookie-based sessions to JWT bearer authentication. You'll set up a login endpoint that generates a signed token using HS256, implement AddAuthentication("Bearer"), and secure the /api/secure route with [Authorize]. You'll demonstrate successful access when the token is valid and provide automatic 401 responses when the token is missing, expired, or altered.

In this challenge, you will answer some assessment questions that will test your understanding of the concepts you learned throughout this lab.