ActiveLogin · Zonnex · Feb 24, 2025 · Sep 25, 2025
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "markdownlint.config": {
+      "MD033": {
+        "allowed_elements": ["a", "img"]
+      }
+    }
+  }
diff --git a/docs/articles/bankid.md b/docs/articles/bankid.md
diff --git a/samples/Standalone.MvcSample/Standalone.MvcSample.csproj b/samples/Standalone.MvcSample/Standalone.MvcSample.csproj
@@ -31,6 +31,6 @@
     </ItemGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
+        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0" />
     </ItemGroup>
 </Project>
diff --git a/...ogin.Authentication.BankId.AspNetCore/ActiveLogin.Authentication.BankId.AspNetCore.csproj b/...ogin.Authentication.BankId.AspNetCore/ActiveLogin.Authentication.BankId.AspNetCore.csproj
@@ -14,7 +14,7 @@
 
     <ItemGroup>
         <FrameworkReference Include="Microsoft.AspNetCore.App" />
-        <PackageReference Include="Microsoft.Extensions.Http" Version="8.0.1" />
+        <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.2" />
         <PackageReference Include="ActiveLogin.Identity.Swedish" Version="3.0.0" />
     </ItemGroup>
 

diff --git a/...thentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiApiControllerBase.cs b/...thentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiApiControllerBase.cs
@@ -9,7 +9,9 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
 using ActiveLogin.Authentication.BankId.AspNetCore.Helpers;
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.Flow;
+using ActiveLogin.Authentication.BankId.Core.Models;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Http;
@@ -18,43 +20,29 @@
 namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Controllers;
 
 [NonController]
-public abstract class BankIdUiApiControllerBase : ControllerBase
+public abstract class BankIdUiApiControllerBase(
+    IBankIdFlowService bankIdFlowService,
+    IBankIdDataStateProtector<BankIdUiOrderRef> orderRefProtector,
+    IBankIdDataStateProtector<BankIdQrStartState> qrStartStateProtector,
+    IBankIdUiOptionsCookieManager uiOptionsCookieManager,
+
+    IBankIdUserMessage bankIdUserMessage,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdDataStateProtector<BankIdUiResult> uiAuthResultProtector,
+    IStateStorage stateStorage
+) : ControllerBase
 {
     private static JsonSerializerOptions JsonSerializerOptions = new() { PropertyNamingPolicy = JsonNamingPolicy.CamelCase };
 
-    protected readonly IBankIdFlowService BankIdFlowService;
-    protected readonly IBankIdUiOrderRefProtector OrderRefProtector;
-    protected readonly IBankIdQrStartStateProtector QrStartStateProtector;
-    protected readonly IBankIdUiOptionsProtector UiOptionsProtector;
-    protected readonly IBankIdUiOptionsCookieManager UiOptionsCookieManager;
+    protected readonly IBankIdFlowService BankIdFlowService = bankIdFlowService;
+    protected readonly IBankIdDataStateProtector<BankIdUiOrderRef> OrderRefProtector = orderRefProtector;
+    protected readonly IBankIdDataStateProtector<BankIdQrStartState> QrStartStateProtector = qrStartStateProtector;
+    protected readonly IStateStorage _stateStorage = stateStorage;
+    protected readonly IBankIdUiOptionsCookieManager UiOptionsCookieManager = uiOptionsCookieManager;
 
-    private readonly IBankIdUserMessage _bankIdUserMessage;
-    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer;
-    private readonly IBankIdUiResultProtector _uiAuthResultProtector;
-
-    protected BankIdUiApiControllerBase(
-        IBankIdFlowService bankIdFlowService,
-        IBankIdUiOrderRefProtector orderRefProtector,
-        IBankIdQrStartStateProtector qrStartStateProtector,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdUiOptionsCookieManager uiOptionsCookieManager,
-
-        IBankIdUserMessage bankIdUserMessage,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiResultProtector uiAuthResultProtector
-
-    )
-    {
-        BankIdFlowService = bankIdFlowService;
-        OrderRefProtector = orderRefProtector;
-        QrStartStateProtector = qrStartStateProtector;
-        UiOptionsProtector = uiOptionsProtector;
-        UiOptionsCookieManager = uiOptionsCookieManager;
-
-        _bankIdUserMessage = bankIdUserMessage;
-        _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
-        _uiAuthResultProtector = uiAuthResultProtector;
-    }
+    private readonly IBankIdUserMessage _bankIdUserMessage = bankIdUserMessage;
+    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
+    private readonly IBankIdDataStateProtector<BankIdUiResult> _uiAuthResultProtector = uiAuthResultProtector;
 
     [ValidateAntiForgeryToken]
     [HttpPost(BankIdConstants.Routes.BankIdApiStatusActionName)]
@@ -83,7 +71,7 @@ public async Task<ActionResult> Status(BankIdUiApiStatusRequest request)
             return BadRequestJsonResult(new BankIdUiApiErrorResponse(errorStatusMessage));
         }
 
-        switch(result)
+        switch (result)
         {
             case BankIdFlowCollectResultPending pending:
             {
@@ -196,4 +184,18 @@ protected BankIdUiOptions ResolveProtectedUiOptions(string protectedUiOptionsOrG
         return UiOptionsCookieManager.Retrieve(protectedUiOptionsOrGuid)
             ?? throw new InvalidOperationException(BankIdConstants.ErrorMessages.InvalidUiOptions);
     }
+
+    protected async ValueTask<T?> GetState<T>(BankIdUiOptions uiOptions)
+        where T : BankIdUiState
+    {
+        var cookie = Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie == null)
+        {
+            return null;
+        }
+
+        var stateKey = new StateKey(cookie);
+        return await _stateStorage.GetAsync<T>(stateKey);
+    }
+
 }
diff --git a/...thentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthApiController.cs b/...thentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthApiController.cs
@@ -7,7 +7,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Models;
 using ActiveLogin.Authentication.BankId.Core.Flow;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
-
+using ActiveLogin.Authentication.BankId.Core;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -18,21 +18,17 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [ApiController]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiAuthApiController : BankIdUiApiControllerBase
+public class BankIdUiAuthApiController(
+    IBankIdFlowService bankIdFlowService,
+    IBankIdDataStateProtector<BankIdUiOrderRef> orderRefProtector,
+    IBankIdDataStateProtector<Core.Models.BankIdQrStartState> qrStartStateProtector,
+    IBankIdUserMessage bankIdUserMessage,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdDataStateProtector<BankIdUiResult> uiAuthResultProtector,
+    IBankIdUiOptionsCookieManager uiOptionsCookieManager,
+    IStateStorage stateStorage
+) : BankIdUiApiControllerBase(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsCookieManager, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector, stateStorage)
 {
-    public BankIdUiAuthApiController(
-        IBankIdFlowService bankIdFlowService,
-        IBankIdUiOrderRefProtector orderRefProtector,
-        IBankIdQrStartStateProtector qrStartStateProtector,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdUiOptionsCookieManager uiOptionsCookieManager,
-        IBankIdUserMessage bankIdUserMessage,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiResultProtector uiAuthResultProtector)
-        : base(bankIdFlowService, orderRefProtector, qrStartStateProtector, uiOptionsProtector, uiOptionsCookieManager, bankIdUserMessage, bankIdUserMessageLocalizer, uiAuthResultProtector)
-    {
-    }
-
     [ValidateAntiForgeryToken]
     [HttpPost(BankIdConstants.Routes.BankIdApiInitializeActionName)]
     public async Task<ActionResult<BankIdUiApiInitializeResponse>> Initialize(BankIdUiApiInitializeRequest request)

diff --git a/....Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthController.cs b/....Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiAuthController.cs
@@ -1,6 +1,7 @@
+using ActiveLogin.Authentication.BankId.AspNetCore.Auth;
 using ActiveLogin.Authentication.BankId.AspNetCore.Cookies;
-using ActiveLogin.Authentication.BankId.AspNetCore.DataProtection;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
@@ -13,22 +14,15 @@ namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Control
 [Area(BankIdConstants.Routes.ActiveLoginAreaName)]
 [AllowAnonymous]
 [NonController]
-public class BankIdUiAuthController : BankIdUiControllerBase
+public class BankIdUiAuthController(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler,
+    IBankIdUiOptionsCookieManager uiOptionsCookieManager,
+    IStateStorage stateStorage
+) : BankIdUiControllerBase<BankIdUiAuthState>(antiforgery, localizer, bankIdUserMessageLocalizer, bankIdInvalidStateHandler, uiOptionsCookieManager, stateStorage)
 {
-    public BankIdUiAuthController(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector,
-        IBankIdUiOptionsCookieManager uiOptionsCookieManager
-    )
-        : base(antiforgery, localizer, bankIdUserMessageLocalizer, uiOptionsProtector, bankIdInvalidStateHandler, bankIdUiStateProtector, uiOptionsCookieManager)
-    {
-
-    }
-
     [HttpGet]
     [Route($"/[area]/{BankIdConstants.Routes.BankIdPathName}/{BankIdConstants.Routes.BankIdAuthControllerPath}")]
     public Task<ActionResult> Init(string returnUrl, [FromQuery(Name = BankIdConstants.QueryStringParameters.UiOptions)] string uiOptionsGuid)

diff --git a/....Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiControllerBase.cs b/....Authentication.BankId.AspNetCore/Areas/ActiveLogin/Controllers/BankIdUiControllerBase.cs
@@ -7,6 +7,7 @@
 using ActiveLogin.Authentication.BankId.AspNetCore.Payment;
 using ActiveLogin.Authentication.BankId.AspNetCore.Sign;
 using ActiveLogin.Authentication.BankId.AspNetCore.StateHandling;
+using ActiveLogin.Authentication.BankId.Core;
 using ActiveLogin.Authentication.BankId.Core.UserMessage;
 
 using Microsoft.AspNetCore.Antiforgery;
@@ -16,32 +17,32 @@
 namespace ActiveLogin.Authentication.BankId.AspNetCore.Areas.ActiveLogin.Controllers;
 
 [NonController]
-public abstract class BankIdUiControllerBase : Controller
+public abstract class BankIdUiControllerBase<T>(
+    IAntiforgery antiforgery,
+    IStringLocalizer<ActiveLoginResources> localizer,
+    IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
+    IBankIdInvalidStateHandler bankIdInvalidStateHandler,
+    IBankIdUiOptionsCookieManager uiOptionsCookieManager,
+    IStateStorage stateStorage
+) : Controller
+    where T : BankIdUiState
 {
-    private readonly IAntiforgery _antiforgery;
-    private readonly IStringLocalizer<ActiveLoginResources> _localizer;
-    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer;
-    private readonly IBankIdUiOptionsProtector _uiOptionsProtector;
-    private readonly IBankIdInvalidStateHandler _bankIdInvalidStateHandler;
-    private readonly IBankIdUiStateProtector _bankIdUiStateProtector;
-    private readonly IBankIdUiOptionsCookieManager _uiOptionsCookieManager;
-
-    protected BankIdUiControllerBase(
-        IAntiforgery antiforgery,
-        IStringLocalizer<ActiveLoginResources> localizer,
-        IBankIdUserMessageLocalizer bankIdUserMessageLocalizer,
-        IBankIdUiOptionsProtector uiOptionsProtector,
-        IBankIdInvalidStateHandler bankIdInvalidStateHandler,
-        IBankIdUiStateProtector bankIdUiStateProtector,
-        IBankIdUiOptionsCookieManager uiOptionsCookieManager)
+    private readonly IAntiforgery _antiforgery = antiforgery;
+    private readonly IStringLocalizer<ActiveLoginResources> _localizer = localizer;
+    private readonly IBankIdUserMessageLocalizer _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
+    private readonly IBankIdInvalidStateHandler _bankIdInvalidStateHandler = bankIdInvalidStateHandler;
+    private readonly IBankIdUiOptionsCookieManager _uiOptionsCookieManager = uiOptionsCookieManager;
+    private readonly IStateStorage stateStorage = stateStorage;
+
+    protected Task<T?> GetUIState(BankIdUiOptions uiOptions)
     {
-        _antiforgery = antiforgery;
-        _localizer = localizer;
-        _bankIdUserMessageLocalizer = bankIdUserMessageLocalizer;
-        _uiOptionsProtector = uiOptionsProtector;
-        _bankIdInvalidStateHandler = bankIdInvalidStateHandler;
-        _bankIdUiStateProtector = bankIdUiStateProtector;
-        _uiOptionsCookieManager = uiOptionsCookieManager;
+        var cookie = HttpContext.Request.Cookies[uiOptions.StateKeyCookieName];
+        if (cookie is null)
+        {
+            return Task.FromResult<T?>(default);
+        }
+        var stateKey = new StateKey(cookie);
+        return stateStorage.GetAsync<T>(stateKey);
     }
 
     protected async Task<ActionResult> Initialize(string returnUrl, string apiControllerName, string uiOptionsGuid, string viewName)
@@ -63,32 +64,40 @@ protected async Task<ActionResult> Initialize(string returnUrl, string apiContro
             return new EmptyResult();
         }
 
-        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
+        var state = await GetUIState(uiOptions);
 
-        var protectedState = Request.Cookies[uiOptions.StateCookieName];
-        if(protectedState == null)
+        if (state == null)
         {
             var invalidStateContext = new BankIdInvalidStateContext(uiOptions.CancelReturnUrl);
             await _bankIdInvalidStateHandler.HandleAsync(invalidStateContext);
 
             return new EmptyResult();
         }
-        var state = _bankIdUiStateProtector.Unprotect(protectedState);
 
+        var antiforgeryTokens = _antiforgery.GetAndStoreTokens(HttpContext);
         var viewModel = GetUiViewModel(returnUrl, apiControllerName, uiOptionsGuid, uiOptions, state, antiforgeryTokens);
 
         return View(viewName, viewModel);
     }
 
     private bool HasStateCookie(BankIdUiOptions uiOptions)
     {
-        if (string.IsNullOrEmpty(uiOptions.StateCookieName)
-            || !HttpContext.Request.Cookies.ContainsKey(uiOptions.StateCookieName))
+        if (string.IsNullOrEmpty(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (!HttpContext.Request.Cookies.ContainsKey(uiOptions.StateKeyCookieName))
+        {
+            return false;
+        }
+
+        if (string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateKeyCookieName]))
         {
             return false;
         }
 
-        return !string.IsNullOrEmpty(HttpContext.Request.Cookies[uiOptions.StateCookieName]);
+        return true;
     }
 
     private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerName, string uiOptionsGuid, BankIdUiOptions unprotectedUiOptions, BankIdUiState uiState, AntiforgeryTokenSet antiforgeryTokens)
@@ -127,7 +136,7 @@ private BankIdUiViewModel GetUiViewModel(string returnUrl, string apiControllerN
         var localizedCancelButtonText = _localizer["Cancel_Button"];
         var localizedQrCodeImageAltText = _localizer["Qr_Code_Image"];
 
-        if(uiState is BankIdUiSignState signState)
+        if (uiState is BankIdUiSignState signState)
         {
             var uiSignData = new BankIdUiSignData
             {