From d37ca7bd916842ff2a2efe7aa0caf4c016d459cc Mon Sep 17 00:00:00 2001
From: Maarten Balliauw <maarten@maartenballiauw.be>
Date: Fri, 16 Jan 2026 15:46:13 +0100
Subject: [PATCH 1/2] Refine description of external authentication cookie
 behavior in IdentityServer docs; remove summary table.

---
 .../docs/identityserver/aspnet-identity/schemes.md | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/content/docs/identityserver/aspnet-identity/schemes.md b/src/content/docs/identityserver/aspnet-identity/schemes.md
index e20b22d5..59177845 100644
--- a/src/content/docs/identityserver/aspnet-identity/schemes.md
+++ b/src/content/docs/identityserver/aspnet-identity/schemes.md
@@ -52,10 +52,10 @@ Besides the main application cookie, IdentityServer uses other schemes for speci
 
 ### External Authentication (e.g., Google, OIDC)
 
-When a user signs in with an external provider (like Google or another OIDC provider), the result of that remote authentication is temporarily stored in an "external" cookie. This allows your login logic to read the claims from the external provider before fully signing the user into your main local session.
+When a user signs in with an external provider (like Google or another OIDC provider), the result of that remote authentication is temporarily stored in an "external" cookie.
+This allows your login logic to read the claims from the external provider before fully signing the user into your main local session.
 
-- **Standalone Default:** `"idsrv.external"` (Constant: `IdentityServerConstants.ExternalCookieAuthenticationScheme`)
-- **With ASP.NET Identity:** `"Identity.External"` (Constant: `IdentityConstants.ExternalScheme`)
+IdentityServer always uses the `"idsrv.external"` scheme here, available in the `IdentityServerConstants.ExternalCookieAuthenticationScheme` constant.
 
 ### Check Session Cookie
 
@@ -64,13 +64,7 @@ The [User Session Service](/identityserver/reference/services/user-session-servi
 
 - **Default Name:** `"idsrv.session"` (Constant: `IdentityServerConstants.DefaultCheckSessionCookieName`). This often remains consistent, but verify your specific configuration.
 
-## Summary Table
-
-| Feature                  | Standalone IdentityServer                                                                 | With ASP.NET Identity                                                |
-| :----------------------- | :---------------------------------------------------------------------------------------- | :------------------------------------------------------------------- |
-| **Main Auth Cookie**     | `"idsrv"`<br/>(`IdentityServerConstants.DefaultCookieAuthenticationScheme`)               | `"Identity.Application"`<br/>(`IdentityConstants.ApplicationScheme`) |
-| **External Auth Cookie** | `"idsrv.external"`<br/>(`IdentityServerConstants.ExternalCookieAuthenticationScheme`)     | `"Identity.External"`<br/>(`IdentityConstants.ExternalScheme`)       |
-| **Typical Usage**        | `HttpContext.SignInAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme, ...)` | `SignInManager.SignInAsync(...)`                                     |
+Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code.
 
 ## Common Pitfalls
 

From d8f2a065b88b6bdf3be91086c216663661fc604e Mon Sep 17 00:00:00 2001
From: Maarten Balliauw <maarten.balliauw@duendesoftware.com>
Date: Fri, 16 Jan 2026 16:02:45 +0100
Subject: [PATCH 2/2] Update
 src/content/docs/identityserver/aspnet-identity/schemes.md

---
 src/content/docs/identityserver/aspnet-identity/schemes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/identityserver/aspnet-identity/schemes.md b/src/content/docs/identityserver/aspnet-identity/schemes.md
index 59177845..a9c0fdbb 100644
--- a/src/content/docs/identityserver/aspnet-identity/schemes.md
+++ b/src/content/docs/identityserver/aspnet-identity/schemes.md
@@ -64,7 +64,7 @@ The [User Session Service](/identityserver/reference/services/user-session-servi
 
 - **Default Name:** `"idsrv.session"` (Constant: `IdentityServerConstants.DefaultCheckSessionCookieName`). This often remains consistent, but verify your specific configuration.
 
-Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code.
+Note this cookie is not marked as `HttpOnly`, so it can be accessed in client-side code. The JavaScript code that is required to check user sessions in the background also requires access to this cookie, and needs it to be `HttpOnly`.
 
 ## Common Pitfalls