sharing cookies between websites

Question

I am referring to below tutorial to share cookies between 2 different MVC applications running locally,

https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-5.0

BaseApp2 : ruuning at https://localhost:44363/ has below configuration

 public void ConfigureServices(IServiceCollection services)
    {
        DirectoryInfo di = new DirectoryInfo(@"C:\SharedCookies");
        services.AddDataProtection()
        .PersistKeysToFileSystem(di)
        .SetApplicationName("SharedCookieApp");

        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Name = ".AspNet.SharedCookie";
        });

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
          .AddCookie(options =>
          {
              options.LoginPath = new PathString("/Account/SignIn");
          })
          .AddOktaMvc(new OktaMvcOptions
          {
              // Replace these values with your Okta configuration
              OktaDomain = Configuration.GetValue<string>("Okta:OktaDomain"),
              ClientId = Configuration.GetValue<string>("Okta:ClientId"),
              ClientSecret = Configuration.GetValue<string>("Okta:ClientSecret"),
              AuthorizationServerId = Configuration.GetValue<string>("Okta:AuthorizationServerId"),
              Scope = new List<string> { "openid", "profile", "email" },

          });
        services.AddControllersWithViews();
    }

And Subapp1 which should reuse baseapp2 cookies running at https://localhost:44309/ has below configuration,

 public void ConfigureServices(IServiceCollection services)
    {
        DirectoryInfo di = new DirectoryInfo(@"C:\SharedCookies");
        services.AddDataProtection()
        .PersistKeysToFileSystem(di)
        .SetApplicationName("SharedCookieApp");

        services.ConfigureApplicationCookie(options =>
        {
            options.Cookie.Name = ".AspNet.SharedCookie";
            options.Cookie.Path = @"C:\SharedCookies";// "/";
        });

        services.AddControllersWithViews();
    }

When I login into baseapp2 successfully i could see could see cookie is creating in it's domain. And also it is saved to physical path mentioned in there. But am unable to login to second application using that cookie?

Is anything am missing? Please help.

attached screenshots

What are the values of the "Domain" column in the screenshot ? — ycrumeyrolle, Jul 12 '21 at 16:32

Mohammad Kalhori · Answer 1 · 2021-07-16T20:22:25.757

Two different domains (e.g. mydomain.com and subdomain.mydomain.com, or sub1.mydomain.com and sub2.mydomain.com) can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host. (This is referred to as a "host-only cookie". See What is a host only cookie?)

Your URLs are different!

You can use virtual directory in IIS or Sub Domain.

All modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

score 1 · Answer 2 · answered Jul 10 '21 at 09:15

1

You have strange Path value for the cookie:

The Path property specifies the subset of URIs on the origin server to which this Cookie applies. If this property is not specified, then this Cookie will be sent to all pages on the origin server or servers.

probably you'll want / for both sites.
maybe also specifiy same cookie domain (not necessary in dev, maybe in production, depending how the apps are deployed).

answered Jul 10 '21 at 09:15

rekna

5,313
7
45
54

For Subapp1 I kept Options.Cookie.Path="/"; even with that it did not work in local. – Mahesh Jul 10 '21 at 15:39
* I would first check if the cookie is sent with all requests to Subapp2 in network tab of browser, if not probably path and/or domain for both apps does not match. * After login into baseapp2 , check how the cookie is stored in the browser using dev tools (esp. path and domain properties) – rekna Jul 10 '21 at 22:56
Hi @rekna i have attached screenshots for reference – Mahesh Jul 12 '21 at 05:40
Both of them am running on localhost in my machine in visual studio. so server should be same i think. – Mahesh Jul 12 '21 at 05:41
Don't know if this might have something to do with it , but . Net core makes a distinction between essential cookies and non essential. opts.Cookie.IsEssential = true;? non essential cookies require consent before they are sent... might be worth to try it – rekna Jul 12 '21 at 18:15

score 0 · Answer 3 · answered Jul 16 '21 at 15:10

0

Remove options.Cookie.Path = @"C:\SharedCookies";// "/"; line from subapp1 Or Add it to the base app configuration.

I have done a similar thing and I did not require to specify cookie path explicitly.

answered Jul 16 '21 at 15:10

Darshani Jayasekara

561
1
4
14

score 0 · Answer 4 · answered Jul 17 '21 at 06:51

You can try this approach:

Create a file that sets the cookie on all 3 domains. Then create a HTML file that would load the files that sets cookie on the other 2 domains. Example:

<html>
   <head></head>
   <body>
      <p>Please wait.....</p>
      <img src="http://domain2.com/setcookie?theme=1" />
      <img src="http://domain3.com/setcookie?theme=2" />
   </body>
</html>

Then add an onload callback on body tag. The document will only load when the images completely load that is when cookies are set on the other 2 domains.

If you can create this functionality in C#, then you can share cookies between websites

sharing cookies between websites

4 Answers4