CookieAuthenticationEvents.OnValidatePrincipal can result in a NullReferenceException

[tuespetre]

Before OnValidatePrincipal is called by the CookieAuthenticationHandler, CheckForRefresh is called, which guards against null values for IssuedUtc and ExpiresUtc before calling RequestRefresh; however, afterwards, if ShouldRenew was set to true on the CookieValidatePrincipalContext, RequestRefresh will be called directly without any safeguards against null values:

https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs#L131

When this bug is encountered, it results in failure of any exception/diagnostics handlers and the user seeing a blank page.

[Eilon]

We think the behavior is that if the value is null it should just ignore it and not throw any exceptions.

[troydai]

Fixed in cbbec15