I have an API (.net web api 2) that is to be consumed by a (external) mvc5 application. The API implements a simple authorization server for issuing tokens to consumers (The implementation follows the example given by thinktecture identitymodel samples).
The API is to be consumed by (among others) users of a GUI (mvc5 application) which have to log in to gain access to the application. When logging in, a http request is issued by the application to the API which in the case of correct credentials returns the access token. Where should I save this token (so that the user does not have to log in again when changing page), should I store it in a cookie or a session or perhaps as a claim to forms authentication?
