2

Having trouble sharing an Identity Cookie (using ASP.NET Core v2) across multiple web applications

On my development environment, cookies are shared automatically (as it's localhost) - and that works fine!

When dealing with MS Azure, I've tried to set the cookie domain to .azurewebsites.net - to allow two web apps (e.g. app1.azurewebsites.net and app2.azurewebsites.net) to share a cookie.

Using the cookie configuration (abbreviated) like so:

public IServiceProvider ConfigureServices(IServiceCollection services)
{
    services.ConfigureApplicationCookie(options =>
    {
         options.Cookie.Domain = ".azurewebsites.net";
    }
}

However, when I deploy the main site (the one that generates cookies from logins) to Azure, I can't even login. The .AspNetCore.Application.Identity cookie doesn't even get returned after entering username/password (or social logins)

I've also tried the solution here: https://stackoverflow.com/a/44310683/1025394 With no success

Question is: Is there possibly any filtering going on the Azure side of things? Stopping me from setting a cookie for .azurewebsites.net? Maybe for Security purposes?

ry8806
  • 2,258
  • 1
  • 23
  • 32
  • 1
    So... You are willing to send your auth cookie to someone's site also running in the azurewebsites.net domain? So they can hijack the session? – juunas Dec 06 '17 at 18:45
  • yes, at no point did i say this was a good idea :P this is on a testing site, so makes no odds to me, before i buy real domains – ry8806 Dec 07 '17 at 10:15

1 Answers1

12

However, when I deploy the main site (the one that generates cookies from logins) to Azure, I can't even login. The .AspNetCore.Application.Identity cookie doesn't even get returned after entering username/password (or social logins)

I searched the web and found that some domain names do not allowed to create cookies for security concerns. Domains for Azure Cloud are listed as follows:

azurewebsites.net
azure-mobile.net
cloudapp.net

Detailed list of domains you could find here.

Moreover, if you want to share cookie among your multiple web apps, you could map custom domain name for your web apps (e.g. app1.yourwebsite.com, app2.yourwebsite.com) and set options.Cookie.Domain to .yourwebsite.com, details about mapping a custom domain you could follow here. Also, you need to configure data protection to use the same encryption keys for your multiple web apps. In addition, you could follow this similar issue.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35
  • thank you so much @Bruce-chen! Yeh, i've done all the other steps you've mentioned about the DataProtection, both apps are using the same Encryption Keys. I just left that detail out to keep the question brief – ry8806 Dec 07 '17 at 10:21