How to Disable Data Protection in ASP.NET Core
Nowadays, security is a must-have on public applications. As a rat, you need to protect yourself from all the eagles that you don’t see but are always watching you.
Data Protection is an API of ASP.NET Core to protect security-sensitive data, used by the other API’s and features such as Authentication, Session, Anti-Forgery, etc. However, in some cases, there is no need for security encryption, or you just simply want to take a risk to minimize the overhead of some operations.
There are many reasons that can lead you to disable Data Protection. Here I will explore the challenge of turn off the encryption of Session cookie in an ASP.NET Core application.
Override the default IDataProtectionProvider
Start by register your IDataProtectionProvider to override the default behavior and provide protectors without the encryption layer. Then get the service descriptor previously registered by ASP.NET Core Data Protection or other features to take the lifetime and factory informations. With the factory expression, you can inject the result on your custom created IDataProtectionProvider to maintain the behavior of the registered provider by ASP.NET Core Data Protection.
Please Note: You must register your custom created IDataProtectionProvider after adding Data Protection, Authentication, Session, Anti Forgery, and other features that depend on Data Protection API as those try to add the Data Protection that you are trying to override. If you register before adding them, the search for IDataProtectionProvider in the IServiceCollection will probably fail.
Create a new IDataProtectionProvider
As you can find in the source code of the ASP.NET Core, SessionMiddleare calls the method CreateProtector with the parameter “SessionMiddleware”, so you need to validate the “SessionMiddleware” purpose.
To do so the next step will be to create an IDataProtectionProvider that will receive the inner IDataProtectionProvider to use in the CreateProtector method. Here you need to check the purpose argument and validate if it is “SessionMiddleware” to provide an IDataProtector without encryption.
Create a new IDataProtector
To create a IDataProtector without protection you just need to return the same argument received in the methods Protect and Unprotect. Et Voilá! your protector without encryption to the SessionMiddleware it’s ready.
Conclusions
Disable the encryption layer of ASP.NET Core application is a tool that can help you with specific situations such as localhost debugging or regression test environments. Depending on your context application, you can try to explore this safe tool for some features related to ASP.NET Core internals. After all encrypted data is not human friendly.
