1

I've looked at this MSDN article: https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx and this stack overflow question: Cookies with and without the Domain Specified (browser inconsistency) (rather lengthy but mentions some hurdles with aspnet cookie auth).

In the MSDN article, it mentions domain can be omitted if only one app exists. However, we already had multiple apps in production with domain omitted. Now that we have rolled out a new configuration with domain specified .some.web.com , we have problems because some clients still have the old cookie which would have defaulted the domain to something like child.some.web.com and takes precedence over the new cookie with a less-specific domain.

I've been trying to expire the cookie manually by sending the following header: Set-Cookie: .ASPXAUTH=x; expires=Mon, 04 May 2015 21:12:38 GMT; domain=child.some.web.com; path=/ but the browser continues to reject it. For normal cookies, when browsers receive it they will prepend . but for the ASPX forms auth cookie this doesn't seem to be the case, and I'm guessing that's somehow related to the problem.

Is there any way to invalidate the old cookie?

Community
  • 1
  • 1
JAMSUPREME
  • 181
  • 9

1 Answers1

0

Answer: Not passing domain in the expired cookie seems to do the trick. Example:

[RoutePrefix("api/cookie")]
public class CleanCookieController : ApiController
{
    [Route("clean")]
    [HttpGet]
    public HttpResponseMessage Get(HttpRequestMessage request)
    {
        var r = new HttpResponseMessage(HttpStatusCode.OK);
        var cookie = new CookieHeaderValue("STAGING.ASPXFORMSAUTH", "x");
        cookie.Expires = DateTimeOffset.Now.AddDays(-5);
        cookie.HttpOnly = true;
        cookie.Path = "/";
        r.Headers.AddCookies(new CookieHeaderValue[] { cookie });
        return r;
    }
}

I guess providing the domain somehow messes up set-cookie when the domain is not prefixed with . ?

edit: If anyone has a more precise answer that can support my "fix" with more information, that would be super.

JAMSUPREME
  • 181
  • 9