ASP.NET Core Tutorial: How can the JSON Web Token (JWT) Structure be Validated?

A small, URL-safe token type called JSON Web Token (JWT) is used to safely transfer data as a JSON object between parties. It is extensively utilized in contemporary web applications, particularly in systems for authorization and authentication such microservices architectures, Node.js backends, and ASP.NET Core APIs.

In stateless authentication, when the server does not maintain session information, JWT is essential. Rather, the token itself contains all necessary user data, making it scalable and effective for cloud-based apps and distributed systems.

Secure authentication using JWT enhances application trust, user retention, and adherence to international security requirements from an SEO and GEO standpoint.

What is JWT?

A JSON Web Token (JWT) is an encoded string that contains claims (data) and is digitally signed to ensure integrity and authenticity. It is commonly used for:

• User authentication

• Authorization (role-based access)

• Secure data exchange between services

A JWT is typically sent in the Authorization header as a Bearer token:

Authorization: Bearer

Structure of JWT

A JWT consists of three parts separated by dots:

Header.Payload.Signature

1. Header

The header contains metadata about the token, including the algorithm used for signing.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

• alg: Signing algorithm (HMAC SHA256, RSA, etc.)

• typ: Token type

2. Payload

The payload contains claims (data). These can be:

• Registered claims (iss, exp, sub)

• Public claims

• Private claims (custom data like userId, role)

Example:

{
  "userId": 101,
  "role": "Admin",
  "exp": 1716239022
}

3. Signature

The signature is used to verify that the token has not been tampered with.

Example:

HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secretKey
)

Real-World Scenario

Consider a login system in an e-commerce application. When a user logs in successfully, the server generates a JWT containing the user's ID and role. This token is sent to the client and included in future requests. The server validates the token before allowing access to protected resources.

How JWT Validation Works

Validating a JWT ensures that the token is authentic, not expired, and issued by a trusted authority.

Step-by-Step JWT Validation Process

Step 1: Decode the Token

Split the token into header, payload, and signature.

Step 2: Verify Signature

Ensure the signature matches using the secret key or public key.

Step 3: Check Expiration

Verify the exp claim to ensure the token is not expired.

Step 4: Validate Issuer and Audience

Check iss (issuer) and aud (audience) claims.

Step 5: Validate Claims

Ensure roles, permissions, and user data are valid.

JWT Validation in ASP.NET Core

builder.Services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "yourIssuer",
            ValidAudience = "yourAudience",
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes("yourSecretKey"))
        };
    });

Advantages of JWT

• Stateless authentication (no server session storage)

• Scalable for microservices

• Compact and efficient

• Secure with digital signatures

Disadvantages of JWT

• Token cannot be easily revoked

• Larger payload increases size

• Security risks if secret key is compromised

JWT vs Session-Based Authentication

Feature	JWT	Session-Based
Storage	Client-side	Server-side
Scalability	High	Limited
Performance	Faster	Slower
Revocation	Difficult	Easy
Use Case	APIs, microservices	Traditional web apps

Best Practices for JWT Implementation

• Use HTTPS to transmit tokens

• Keep payload minimal

• Set short expiration time

• Use refresh tokens for long sessions

• Store tokens securely (avoid localStorage for sensitive apps)

Real-World Use Cases

• Authentication in REST APIs

• Single Sign-On (SSO)

• Mobile app authentication

• Microservices communication

Summary

A small, URL-safe token type called JSON Web Token (JWT) is used to safely transfer data as a JSON object between parties. It is extensively utilized in contemporary web applications, particularly in systems for authorization and authentication such microservices architectures, Node.js backends, and ASP.NET Core APIs.

In stateless authentication, when the server does not maintain session information, JWT is essential. Rather, the token itself contains all necessary user data, making it scalable and effective for cloud-based apps and distributed systems.

Secure authentication using JWT enhances application trust, user retention, and adherence to international security requirements from an SEO and GEO standpoint.

Windows Hosting Recommendation

HostForLIFEASP.NET receives Spotlight standing advantage award for providing recommended, cheap and fast ecommerce Hosting including the latest Magento. From the leading technology company, Microsoft. All the servers are equipped with the newest Windows Server 2022 R2, SQL Server 2022, ASP.NET Core 7.0.10 , ASP.NET MVC, Silverlight 5, WebMatrix and Visual Studio Lightswitch. Security and performance are at the core of their Magento hosting operations to confirm every website and/or application hosted on their servers is highly secured and performs at optimum level. mutually of the European ASP.NET hosting suppliers, HostForLIFE guarantees 99.9% uptime and fast loading speed. From €3.49/month , HostForLIFE provides you with unlimited disk space, unlimited domains, unlimited bandwidth,etc, for your website hosting needs.

 

Read More

How to Prevent Socket Exhaustion in .NET Core by Using HttpClientFactory?

Making HTTP calls to external APIs is a frequent practice when developing contemporary ASP.NET Core applications. You frequently utilize HttpClient to send requests, whether you are contacting a payment gateway, a third-party service, or another microservice.

However, a lot of developers unintentionally abuse HttpClient, which might cause socket exhaustion, a major issue. Because of this, when your program is under a lot of demand, it may slow down or even crash.

IHttpClientFactory, a potent feature that aids in the effective management of HttpClient instances, was added by.NET Core to address this issue.

This article explains socket exhaustion, explains why it occurs, and explains how to utilize HttpClientFactory in.NET. Step-by-step with basic examples.

What is Socket Exhaustion?

Understanding Socket Exhaustion in Simple Words

Socket exhaustion happens when your application creates too many HTTP connections and does not release them properly.

Each HTTP request uses a network socket. If sockets are not reused or closed correctly, the system runs out of available sockets.

Why This Happens with HttpClient

Many developers write code like this:

public async Task<string> GetData()
{
    using (var client = new HttpClient())
    {
        return await client.GetStringAsync("https://api.example.com/data");
    }
}

This looks correct, but creating a new HttpClient for every request causes:

• Too many open connections

• Delayed socket release (TIME_WAIT state)

• Resource exhaustion

This leads to performance issues in ASP.NET Core applications.

What is IHttpClientFactory in .NET Core?

Simple Definition

IHttpClientFactory is a built-in factory in .NET Core that helps you create and manage HttpClient instances efficiently.

It handles:

• Connection pooling

• DNS updates

• Lifetime management

Benefits of IHttpClientFactory

• Prevents socket exhaustion

• Improves performance

• Centralized configuration

• Better testability

Step 1: Create ASP.NET Core Project

dotnet new webapi -n HttpClientFactoryDemo
cd HttpClientFactoryDemo

Step 2: Register HttpClientFactory

Open Program.cs and add:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddControllers();

// Register HttpClientFactory
builder.Services.AddHttpClient();

var app = builder.Build();

app.UseHttpsRedirection();
app.MapControllers();
app.Run();

Step 3: Use IHttpClientFactory in Controller

Inject IHttpClientFactory

using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
public class DemoController : ControllerBase
{
    private readonly IHttpClientFactory _httpClientFactory;

    public DemoController(IHttpClientFactory httpClientFactory)
    {
        _httpClientFactory = httpClientFactory;
    }

    [HttpGet]
    public async Task<IActionResult> Get()
    {
        var client = _httpClientFactory.CreateClient();

        var response = await client.GetAsync("https://jsonplaceholder.typicode.com/posts");

        var data = await response.Content.ReadAsStringAsync();

        return Ok(data);
    }
}

Now HttpClient instances are managed efficiently.

Step 4: Named Clients

What are Named Clients?

Named clients allow you to configure different HttpClient instances for different APIs.

Configure Named Client

builder.Services.AddHttpClient("MyApi", client =>
{
    client.BaseAddress = new Uri("https://jsonplaceholder.typicode.com/");
    client.Timeout = TimeSpan.FromSeconds(10);
});

Use Named Client

var client = _httpClientFactory.CreateClient("MyApi");
var response = await client.GetAsync("posts");

Step 5: Typed Clients

What are Typed Clients?

Typed clients provide a clean and strongly-typed way to use HttpClient.

Create Typed Client

public class MyApiService
{
    private readonly HttpClient _httpClient;

    public MyApiService(HttpClient httpClient)
    {
        _httpClient = httpClient;
    }

    public async Task<string> GetPosts()
    {
        return await _httpClient.GetStringAsync("posts");
    }
}

Register Typed Client

builder.Services.AddHttpClient<MyApiService>(client =>
{
    client.BaseAddress = new Uri("https://jsonplaceholder.typicode.com/");
});

Use Typed Client

public class DemoController : ControllerBase
{
    private readonly MyApiService _service;

    public DemoController(MyApiService service)
    {
        _service = service;
    }

    [HttpGet]
    public async Task<IActionResult> Get()
    {
        var data = await _service.GetPosts();
        return Ok(data);
    }
}

Step 6: Configure HttpClient Handler Lifetime

To avoid DNS issues and reuse connections efficiently:

builder.Services.AddHttpClient("MyApi")
    .SetHandlerLifetime(TimeSpan.FromMinutes(5));

This ensures connections are refreshed periodically.

Step 7: Add Polly for Resilience

You can add retry policies using Polly:

builder.Services.AddHttpClient("MyApi")
    .AddTransientHttpErrorPolicy(policy =>
        policy.WaitAndRetryAsync(3, _ => TimeSpan.FromSeconds(2)));

This improves reliability in real-world applications.

Step 8: Best Practices

Follow These Best Practices

• Always use IHttpClientFactory

• Avoid creating HttpClient manually

• Use named or typed clients

• Configure timeouts

• Add retry policies

Real-World Example

In a microservices architecture:

• Service A calls Service B using HttpClientFactory

• Connections are reused

• Failures are handled with retries

This improves scalability and performance.

Summary

HttpClientFactory in .NET Core helps prevent socket exhaustion by managing HTTP connections efficiently through connection pooling and proper lifecycle management. Instead of creating multiple HttpClient instances, developers can use IHttpClientFactory to reuse connections, improve performance, and build scalable ASP.NET Core applications. Using named clients, typed clients, and resilience policies further enhances reliability and maintainability.

Windows Hosting Recommendation

HostForLIFEASP.NET receives Spotlight standing advantage award for providing recommended, cheap and fast ecommerce Hosting including the latest Magento. From the leading technology company, Microsoft. All the servers are equipped with the newest Windows Server 2022 R2, SQL Server 2022, ASP.NET Core 7.0.10 , ASP.NET MVC, Silverlight 5, WebMatrix and Visual Studio Lightswitch. Security and performance are at the core of their Magento hosting operations to confirm every website and/or application hosted on their servers is highly secured and performs at optimum level. mutually of the European ASP.NET hosting suppliers, HostForLIFE guarantees 99.9% uptime and fast loading speed. From €3.49/month , HostForLIFE provides you with unlimited disk space, unlimited domains, unlimited bandwidth,etc, for your website hosting needs.

 

Read More

Important Distinctions Between gRPC and REST in.NET and When to Use Each

One of the most frequent queries developers have when creating APIs in.NET is: Should I use gRPC or REST?

Although they function differently and are appropriate for different situations, both are effective means of facilitating communication between services.

You may encounter performance problems, scalability challenges, or needless complexity if you use the incorrect strategy.

This guide will explain gRPC and REST in layman's terms, provide a clear comparison, and teach us when to utilize either in practical.NET applications.

What is REST?

REST (Representational State Transfer) is the most commonly used way to build APIs.

It works over HTTP and uses standard methods like:

• GET → Fetch data

• POST → Create data

• PUT → Update data

• DELETE → Remove data

REST APIs usually return data in JSON format, which is easy to read and widely supported.

In simple words:
REST is a simple and flexible way to build APIs that can be used by any client (web, mobile, etc.).

What is gRPC?

gRPC is a high-performance communication framework developed by Google.

It uses:

• HTTP/2 (faster than HTTP/1.1)

• Protocol Buffers (binary format instead of JSON)

Instead of sending plain JSON, gRPC sends compact binary data, which makes it faster and more efficient.

In simple words:
gRPC is a fast and efficient way for services to talk to each other.

Key Difference Between REST and gRPC (Explained Simply)

Feature	REST	gRPC
Protocol	HTTP/1.1	HTTP/2
Data Format	JSON (text)	Protobuf (binary)
Speed	Moderate	Very fast
Readability	Easy	Not human-readable
Streaming	Limited	Built-in support
Browser Support	Excellent	Limited

How REST Works (Simple Flow)

1. Client sends HTTP request (GET/POST)

2. Server processes request

3. Server returns JSON response

Example:

GET /api/products

HTTP

Response:

{
  "id": 1,
  "name": "Laptop"
}

JSON

This is simple and easy to debug.

How gRPC Works (Simple Flow)

1. Define contract using .proto file

2. Generate C# classes

3. Client calls methods directly like functions

Example proto file:

service ProductService {
  rpc GetProduct (ProductRequest) returns (ProductResponse);
}

Proto

In gRPC, communication feels like calling a method instead of sending HTTP requests.

Step-by-Step: Create a gRPC Service in .NET

Step 1: Create gRPC Project

dotnet new grpc -n GrpcDemo
cd GrpcDemo

Bash

Step 2: Define Service in .proto File

syntax = "proto3";

service GreetingService {
  rpc SayHello (HelloRequest) returns (HelloResponse);
}

message HelloRequest {
  string name = 1;
}

message HelloResponse {
  string message = 1;
}

Proto

Step 3: Implement Service

public class GreetingService : GreetingService.GreetingServiceBase
{
    public override Task<HelloResponse> SayHello(HelloRequest request, ServerCallContext context)
    {
        return Task.FromResult(new HelloResponse
        {
            Message = "Hello " + request.Name
        });
    }
}

C#

Step 4: Call gRPC Service (Client)

var channel = GrpcChannel.ForAddress("https://localhost:5001");
var client = new GreetingService.GreetingServiceClient(channel);

var reply = await client.SayHelloAsync(new HelloRequest { Name = "John" });

Console.WriteLine(reply.Message);

C#

When to Use REST?

Use REST when:

• You are building public APIs

• Your API is consumed by browsers or mobile apps

• You need easy debugging (JSON)

• Simplicity is more important than performance

When to Use gRPC?

Use gRPC when:

• You are building microservices

• You need high performance and low latency

• Services communicate internally

• You need streaming (real-time data)

REST vs gRPC in Microservices Architecture

In real-world systems:

• REST is often used for external communication (client → server)

• gRPC is used for internal communication (service → service)

This gives you both simplicity and performance.

Best Practices

• Use REST for public-facing APIs

• Use gRPC for internal services

• Avoid mixing unnecessarily

• Consider team experience and tooling

Real-World Example

E-commerce system:

• Frontend → REST API

• Backend services → gRPC communication

This ensures fast internal processing and simple external access.

Conclusion

Both REST and gRPC are powerful tools in .NET. The right choice depends on your use case.

If you need simplicity and wide compatibility, go with REST. If you need performance and efficiency for internal communication, gRPC is the better choice.

Understanding both will help you design better, scalable, and high-performance applications.

Windows Hosting Recommendation

HostForLIFE.eu receives Spotlight standing advantage award for providing recommended, cheap and fast ecommerce Hosting including the latest Magento. From the leading technology company, Microsoft. All the servers are equipped with the newest Windows Server 2022 R2, SQL Server 2022, ASP.NET Core 7.0.10 , ASP.NET MVC, Silverlight 5, WebMatrix and Visual Studio Lightswitch. Security and performance are at the core of their Magento hosting operations to confirm every website and/or application hosted on their servers is highly secured and performs at optimum level. mutually of the European ASP.NET hosting suppliers, HostForLIFE guarantees 99.9% uptime and fast loading speed. From €3.49/month , HostForLIFE provides you with unlimited disk space, unlimited domains, unlimited bandwidth,etc, for your website hosting needs.

 

Read More

ASP.NET Tutorial: JWT Verification in the ASP.NET Core Web API

Security is one of the most important parts of any application. Today, most modern apps use token-based authentication instead of session-based login.

 One of the most popular methods is JWT (JSON Web Token) in ASP.NET Core.

 What is JWT?

JWT (JSON Web Token) is a secure token that is generated after login and used to access protected APIs.

Instead of storing user session on server, JWT stores data in token.

Simple Flow (Easy Understanding)

• User Login

• Server verifies user

• Server generates JWT token

• Client stores token

• Client sends token in every request

• Server validates token

Why JWT is Trending?

• Stateless (No session needed)

• Secure

• Fast

• Used in Mobile + Web APIs

• Industry standard

Step 1: Create Web API Project

dotnet new webapi -n JwtAuthDemo

Step 2: Install Required Package

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Step 3: Configure JWT in Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

var builder = WebApplication.CreateBuilder(args);

var key = "ThisIsMySecretKey12345";

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = false,
        ValidateAudience = false,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
    };
});

builder.Services.AddAuthorization();

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();

app.MapGet("/", () => "JWT API Running");

app.Run();

Step 4: Create Token Generator

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;

public class JwtService
{
    private string key = "ThisIsMySecretKey12345";

    public string GenerateToken(string username)
    {
        var claims = new[]
        {
            new Claim(ClaimTypes.Name, username)
        };

        var keyBytes = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
        var creds = new SigningCredentials(keyBytes, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            claims: claims,
            expires: DateTime.Now.AddMinutes(30),
            signingCredentials: creds
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

Step 5: Login API (Generate Token)

app.MapPost("/login", (string username, string password) =>
{
    if (username == "admin" && password == "123")
    {
        var jwt = new JwtService();
        var token = jwt.GenerateToken(username);

        return Results.Ok(token);
    }

    return Results.Unauthorized();
});

Step 6: Secure API

app.MapGet("/secure", () =>
{
    return "This is protected data";
}).RequireAuthorization();

How to Use in Postman

• Call /login → get token

• Copy token

• Go to Headers

• Add:

Authorization: Bearer YOUR_TOKEN

Plain text

• Call /secure

Easy Understanding

• Token = Identity Card 🪪

• Without token ❌ access denied

• With token ✅ access allowed

Real-Life Use Cases

• Mobile apps login

• Banking APIs

• E-commerce systems

• Microservices authentication

Conclusion

JWT authentication in ASP.NET Core is:

• Secure

• Fast

• Widely used

HostForLIFE is Best Option for ASP.NET Core 10.0 Hosting in Europe

Frankly speaking, HostForLIFE is best option to host your ASP.NET Core 10.0 Hosting in Europe. You just need to spend €2.97/month to host your site with them and you can install the latest ASP.NET Core 10.0 via their Plesk control panel. We would highly recommend them as your ASP.NET Core 9.0 Hosting in Europe.

Read More

Managing DB Null: The object cannot be cast from the database. To other types, null A C# error

The System exception is one of the most common ones that developers run into while working with ADO.NET and databases like Oracle or SQL Server.InvalidCastException. This typically occurs when the code attempts to directly convert a NULL value from a database field to a primitive type like int or decimal.

A database null in ADO.NET is represented by the DBNull instead of the C# null keyword.object of value. Your program dies because DBNull.Value cannot be cast straight to an integer. In this post, we'll examine how to organise your data access code using a secure Try-Catch architecture and build a reliable pattern to manage these nulls by defaulting them to 0.

Background

Imagine you are fetching commission rates from an Oracle database. Your table, UTILITIES_COMPANIES_COMM_RATES, has columns for CLIENTID and COMMISSIONRATE. If a specific record has no client assigned (a NULL value), the following code will fail:

// This line will throw an InvalidCastException if CLIENTID is NULL in the DB
ClientId = Convert.ToInt32(reader["CLIENTID"]);

To prevent this, we must verify the data before conversion.

Step-by-Step Implementation

1. Handling DBNull with the Ternary Operator

The simplest way to fix this is to use the ternary operator (? :) to check for DBNull.Value. If the value is null, we assign a default (like 0); otherwise, we perform the conversion.

int clientId = reader["CLIENTID"] == DBNull.Value ? 0 : Convert.ToInt32(reader["CLIENTID"]);

2. Implementing a Robust Repository Method

When writing for a production environment, it is best practice to wrap your database logic in a using statement (to handle connection closing) and a try-catch block (to handle errors).

Here is the full implementation for a GetAllCommissionRates method:

public List<UtilityCommissionRate> GetAllCommissionRates()
{
    var list = new List<UtilityCommissionRate>();
    string query = "SELECT ID, CLIENTID, COMMISSIONRATE, COMPANYID FROM UTILITIES_COMPANIES_COMM_RATES";

    // 'using' ensures the connection is closed even if an error occurs
    using (OracleConnection conn = new OracleConnection(_connectionString))
    {
        OracleCommand cmd = new OracleCommand(query, conn);

        try
        {
            conn.Open();
            using (OracleDataReader reader = cmd.ExecuteReader())
            {
                while (reader.Read())
                {
                    list.Add(new UtilityCommissionRate
                    {
                        // Check each column for DBNull before converting
                        Id = reader["ID"] == DBNull.Value ? 0 : Convert.ToInt32(reader["ID"]),

                        ClientId = reader["CLIENTID"] == DBNull.Value ? 0 : Convert.ToInt32(reader["CLIENTID"]),

                        CommissionRate = reader["COMMISSIONRATE"] == DBNull.Value ? 0m : Convert.ToDecimal(reader["COMMISSIONRATE"]),

                        CompanyId = reader["COMPANYID"] == DBNull.Value ? 0 : Convert.ToInt32(reader["COMPANYID"])
                    });
                }
            }
        }
        catch (OracleException ex)
        {
            // Log database-specific errors (e.g., connection issues)
            Console.WriteLine($"Database Error: {ex.Message}");
            throw;
        }
        catch (Exception ex)
        {
            // Log general conversion or logic errors
            Console.WriteLine($"General Error: {ex.Message}");
            throw;
        }
    }
    return list;
}

Creating a Cleaner Solution: Extension Methods

If you have a large project with many tables, checking for DBNull.Value in every line makes the code hard to read. We can solve this by creating a Generic Extension Method.

The Utility Class

public static class DataReaderExtensions
{
    public static T GetValueOrDefault<T>(this IDataRecord reader, string columnName)
    {
        object value = reader[columnName];
        return value == DBNull.Value ? default(T) : (T)Convert.ChangeType(value, typeof(T));
    }
}

Clean Usage

Now, your mapping code becomes much shorter and cleaner:

while (reader.Read())
{
    list.Add(new UtilityCommissionRate
    {
        Id = reader.GetValueOrDefault<int>("ID"),
        ClientId = reader.GetValueOrDefault<int>("CLIENTID"),
        CommissionRate = reader.GetValueOrDefault<decimal>("COMMISSIONRATE")
    });
}

Summary

• The Problem: Convert.ToInt32 fails when it receives DBNull.Value.

• The Fix: Use reader["column"] == DBNull.Value to check for nulls before casting.

• Best Practice: Always use using blocks for OracleConnection to prevent memory leaks and connection pool exhaustion.

• Pro Tip: Use extension methods to keep your repository code clean and maintainable.

Conclusion

Handling database nulls is a fundamental part of building stable .NET applications. By following the patterns above, you can ensure your application handles missing data gracefully without crashing.

Windows Hosting Recommendation

HostForLIFE.eu receives Spotlight standing advantage award for providing recommended, cheap and fast ecommerce Hosting including the latest Magento. From the leading technology company, Microsoft. All the servers are equipped with the newest Windows Server 2022 R2, SQL Server 2022, ASP.NET Core 8.0 , ASP.NET MVC, Silverlight 5, WebMatrix and Visual Studio Lightswitch. Security and performance are at the core of their Magento hosting operations to confirm every website and/or application hosted on their servers is highly secured and performs at optimum level. mutually of the European ASP.NET hosting suppliers, HostForLIFE guarantees 99.9% uptime and fast loading speed. From €3.49/month , HostForLIFE provides you with unlimited disk space, unlimited domains, unlimited bandwidth,etc, for your website hosting needs.

 

Read More

Safe JWT Verification in ASP.NET Core Using Cookie Storage.NET 9

JWT (JSON Web Token) authentication in ASP.NET Core can be implemented by storing the token inside an HTTP-only cookie to enhance security. This method blends the stateless and self-contained nature of JWTs with the added protection provided by secure cookie storage.

Why use JWT with cookies?

JWTs are widely used for authentication because they are stateless and carry all the required user data within the token itself. However, saving JWTs in localStorage or sessionStorage makes them vulnerable to XSS (Cross-Site Scripting) attacks. Placing the token in an HTTP-only cookie helps reduce this risk, while still preserving the advantages of JWT-based authentication.

Step 1: Configure JWT Authentication

To begin, configure JWT authentication in your ASP.NET Core application:

var jwtKey = "qwertyuiopasdfghjklzxcvbnm123456";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "your-app",
            ValidAudience = "your-app",
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtKey))
        };

        // Read JWT token from cookie
        options.Events = new JwtBearerEvents
        {
            OnMessageReceived = context =>
            {
                if (context.Request.Cookies.ContainsKey("AuthToken"))
                {
                    context.Token = context.Request.Cookies["AuthToken"];
                }
                return Task.CompletedTask;
            }
        };
    });

builder.Services.AddAuthorization();

Step 2: Configure Middleware

app.UseAuthentication();
app.UseAuthorization();

add the authentication and authorization middleware in your Program.cs:

Step 3: Generate and Store JWT Tokens

Here's our token generation endpoint:

[HttpPost("GenerateAuthToken")]
public IActionResult GenerateAuthToken()
{
    var jwtKey = "qwertyuiopasdfghjklzxcvbnm123456";
    var token = GenerateJwtToken("Test", jwtKey);
    var cookieOptions = new CookieOptions
    {
        HttpOnly = true,     // Prevent JavaScript access
        Secure = true,       // Only send over HTTPS
        SameSite = SameSiteMode.Strict, // Prevent CSRF
        Expires = DateTime.UtcNow.AddHours(1)
    };

    Response.Cookies.Append("AuthToken", token, cookieOptions);

    return Ok(new { message = "Auth Token generated successfully" });
}

public static string GenerateJwtToken(string username, string key)
{
    var tokenHandler = new JwtSecurityTokenHandler();
    var keyBytes = Encoding.UTF8.GetBytes(key);

    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = new ClaimsIdentity(new[]
        {
            new Claim(ClaimTypes.Name, username)
        }),
        Expires = DateTime.UtcNow.AddHours(1),
        Issuer = "your-app",
        Audience = "your-app",
        SigningCredentials = new SigningCredentials(
            new SymmetricSecurityKey(keyBytes),
            SecurityAlgorithms.HmacSha256Signature)
    };

    var token = tokenHandler.CreateToken(tokenDescriptor);
    return tokenHandler.WriteToken(token);
}

Step 4: Protect Endpoints with Authorization

Now we can protect endpoints using the [Authorize] attribute:

[Authorize]
[HttpGet("GetCurrentProfile")]
public IActionResult GetCurrentProfile()
{
    var username = User.Identity?.Name;
    return Ok(new { user = username });
}

Full Example  : 

Here's a complete minimal API example:

var builder = WebApplication.CreateBuilder(args);

// Add services
var jwtKey = "qwertyuiopasdfghjklzxcvbnm123456";
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "your-app",
            ValidAudience = "your-app",
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtKey))
        };

        options.Events = new JwtBearerEvents
        {
            OnMessageReceived = context =>
            {
                if (context.Request.Cookies.ContainsKey("AuthToken"))
                {
                    context.Token = context.Request.Cookies["AuthToken"];
                }
                return Task.CompletedTask;
            }
        };
    });

builder.Services.AddAuthorization();
builder.Services.AddControllers();

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

Security Considerations

1. Key Management: In production, use a more complex key and store it securely (e.g., in Azure Key Vault or AWS Secrets Manager)

2. Token Expiration: Keep token lifetimes short (1 hour in our example)

3. Refresh Tokens: Consider implementing a refresh token mechanism for longer sessions

Best ASP.NET Core 10.0 Hosting Recommendation

One of the most important things when choosing a good ASP.NET Core 8.0 hosting is the feature and reliability. HostForLIFE is the leading provider of Windows hosting and affordable ASP.NET Core, their servers are optimized for PHP web applications. The performance and the uptime of the hosting service are excellent and the features of the web hosting plan are even greater than what many hosting providers ask you to pay for. 

At HostForLIFEASP.NET, customers can also experience fast ASP.NET Core hosting. The company invested a lot of money to ensure the best and fastest performance of the datacenters, servers, network and other facilities. Its datacenters are equipped with the top equipments like cooling system, fire detection, high speed Internet connection, and so on. That is why HostForLIFEASP.NET guarantees 99.9% uptime for ASP.NET Core. And the engineers do regular maintenance and monitoring works to assure its Orchard hosting are security and always up.

Read More