Inclusion of permissions in a claim is usually a good idea if it meets the requirements of the application. One of the benefits of requirements-based security is the decoupling between user metadata (name, role, age, permission, etc.) and application security requirements. If, for example, a certain βactionβ requires the user to have a certain age, a simple HasClaim(c => c.Type == Age && c.Value >= 18) check is HasClaim(c => c.Type == Age && c.Value >= 18) . And if this requires simple permission, why not just check HasClaim(CanAccessX) ?
Many applications (incorrectly) use groups / roles like CanAccessX / CanReadY / CanWriteZ to implement a less complex (= better) security mechanism. With claims, this concept becomes somehow natural.
Secondly, bloating cookies can be a problem. Similarly, for example, sprawling tokens with Kerberos can be a problem if the user has too many groups / roles / permissions / independently. One approach to solving this problem may be some role-based protection against requirements-based security: if there are n roles for m permissions (n ββmust be much less than m), you can write n roles only in a cookie, but convert them for backstage in a simple module / middleware. Another solution might be a custom identity / permission mapping, so you only need to write the user ID in the cookie, but map it to its (cached) permissions before actually processing the request.
I would start with a direct approach (just write all the complaints about the cookie). Then, if it gets too big and reduces the performance of the application, you can optimize its behavior with a more or less complex module / middleware that should not affect the actual βcodeβ.
Note that there are already .NET mechanisms for securely storing this cookie: for classic (current) IIS applications, you can use the Session Verification Module , for modern (future) OWIN applications you can use middleware for cookie authentication .