Revisit how application identifier is generated

[aspnet-hello]

From @Eilon on Friday, May 5, 2017 11:15:40 AM

Perhaps in the case of IIS (and thus Antares), ANCM should flow the IIS "app id" so that Data Protection could use it.

cc @blowdart @DamianEdwards @davidfowl @Tratcher

Copied from original issue: aspnet/DataProtection#229

[aspnet-hello]

From @blowdart on Friday, May 5, 2017 12:06:16 PM

This is probably a hosting issue

[aspnet-hello]

From @Tratcher on Friday, May 5, 2017 1:53:06 PM

or ANCM + IISIntegration

[aspnet-hello]

From @davidfowl on Saturday, May 6, 2017 12:59:38 AM

We need to also consider xplat and service fabric scenarios (clusters in general).

/cc @glennc

[aspnet-hello]

From @johnkors on Saturday, May 20, 2017 8:45:57 AM

Are we talking about DataProtectionUtilityExtensions ?

It's by default causing invalidation of cookies when used in conjunction with Octopus, which deploys to a different physical path every deploy.

@anderaus wrote a piece about the issues here: http://blog.novanet.no/a-pile-of-anti-forgery-cookies/

[aspnet-hello]

From @davidfowl on Saturday, May 20, 2017 10:08:28 AM

Yes, it's a really bad default.

[blowdart]

@muratg We should revisit this again. It slipped past 2.1, so I've put it in 2.2 so it doesn't drop off.