While I was learning how to integrate Facebook Authentication into ASP.NET MVC application I have written a code that uses session state to store the access_token obtained via Facebook JS SDK. As soon as the java-script code has the access token, it is being posted onto a special controller action that stores it in Session dictionary.
I would like to avoid the use of Session but to still have the access token available to retrieve user info. Is it safe to just store it in a non-permanent cookie? Will the effect be the same?
It might interest you that the official PHP SDK stores the access token in a session, or in the
signed_requestwhich is stored in a cookie. However, thesigned_requestis encrypted using the app secret which is a lot more secure than storing the access token unencrypted.https://github.com/facebook/facebook-php-sdk/tree/master/src
Also, here’s a previous discussion on stackoverflow about cookie vs session security:
Do i login using cookies or sessions in a login system?
You may create your own encrypted signed request if you please, however never do that from your client (because it would require storing the secret on your client). For more info see the PHP SDK and/or the link:
https://developers.facebook.com/docs/authentication/signed_request/