As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it and will have available all the user claims and some other information.
My question is, in case there is no need to send the authetication information to other servers (for example if you are authenticating against another web site) would it be more safe not to send as much information to the user? Perhaps we can just send a large code to the user and then match it with an in memory collection or database.
I know that if someone is able to intercept that code she will be able to also make valid requests, but when the "ticket" expires it will not longer be valid for anyone until making the login process again. However, if that code is compromised there won´t be any other information than that.
I hope I am being clear with my question, if not, please let me know it so I can improve it.