Large FedAuth Cookie (FedAuth4) with only 7 claims

Question

I'm struggling to figure out why a ClaimsPrincipal with only 7 claims is producing 5 FedAuth Cookies (FedAuth1, FedAuth2, FedAuth3, FedAuth4) from the FAM.

This is causing problems as Safari is truncating my cookies and my mac users are unable to login.

Any ideas why I might be experiencing this or where I can look to figure it out?

UPDATE: As pointed out by Eugenio setting SaveBootstrapTokens=false shrunk the cookies from 5 back to 2 and now safari users can log in.

Answer 1

What do these claims contain? The number of claims will affect the size of the token, but so will the information they have. The FedAuthx cookies are essentially the entire token (more specifically a SessionToken), encrypted and chunked.

As an alternative you can consider using WIF "session mode" which will store the token on the server side. The tradeoff is having to manage the server side state and its consequences (e.g. state across web farms, etc)

Update: You can control the size of each cookie with additional config. The minimum size is 1000 though and you can't control the total amount of cookies.

<cookieHandler requireSsl="false" mode="Chunked">
  <chunkedCookieHandler chunkSize="1000"/>
</cookieHandler>

The workaround mentioned in the article seems similar to what WIF does out of the box with "session mode" explained above. I'd suggest using this approach instead of a custom one. Vittorio's article explains it very well: http://blogs.msdn.com/b/vbertocci/archive/2010/05/26/your-fedauth-cookies-on-a-diet-issessionmode-true.aspx