Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie Domain not working #59070

Open
1 task
wangjunjx8868 opened this issue Nov 20, 2024 · 5 comments
Open
1 task

Cookie Domain not working #59070

wangjunjx8868 opened this issue Nov 20, 2024 · 5 comments
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.

Comments

@wangjunjx8868
Copy link

wangjunjx8868 commented Nov 20, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

current .NET 8.0
Cookie. Domain not working,

   builder.Services.AddAuthentication(options =>
   {
       options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
   })
    .AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
   {
       options.LoginPath = new PathString("/User/Login");
       options.LogoutPath = "/User/Logout";//
       options.AccessDeniedPath = new PathString("/User/Denied");
       options.Cookie.Domain = ".example.com";
       options.Cookie.Name = ".AspNet.SharedCookie";
       options.Cookie.Path = "/";
     
   })

On signed In,
Edge browser and browser F12 key,view cookie ,I found that it automatically brought the www,result is .www.example.com,why?

Expected Behavior

On signed In Cookie Domain is .example.com

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.101

Anything else?

No response
@martincostello
Copy link
Member

Do you get the same behaviour if you remove the . from the start of the value?

@MackinnonBuck MackinnonBuck added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label Nov 20, 2024
@BrennanConroy
Copy link
Member

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header.

@wangjunjx8868
Copy link
Author

wangjunjx8868 commented Nov 21, 2024
edited
Loading

Do you get the same behaviour if you remove the . from the start of the value?

yes,remove . ,result is www.example.com , my sub domain website(abc.example.com) not share this cookie also

@dotnet-policy-service dotnet-policy-service bot added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels Nov 21, 2024
@wangjunjx8868
Copy link
Author

Do you get the same behaviour if you remove the . from the start of the value?

if framework website set domain result .example.com not .www.example.com,

     FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, "admin", DateTime.Now, DateTime.Now.AddDays(1),true, stuId.ToString(), "/");
     HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
     cookie.HttpOnly = true;
     cookie.Domain = "example.com";

@wangjunjx8868
Copy link
Author

wangjunjx8868 commented Nov 21, 2024
edited
Loading

Do you get the same behaviour if you remove the . from the start of the value?

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header.
Image

  {
      options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
  })
   .AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
  {
      options.LoginPath = new PathString("/Account/Login");
      options.LogoutPath = "/Account/Logout";//
      options.AccessDeniedPath = new PathString("/Account/Denied");
      options.Cookie.Domain = "example.com";// or .example.com
      //options.Cookie.Domain = ".example.com";// 
      options.Cookie.Name = ".AspNet.SharedCookie";
      options.Cookie.Path = "/";
      options.Cookie.HttpOnly = true;
      options.ExpireTimeSpan = TimeSpan.FromDays(1); // 
      options.SlidingExpiration = true; // 
      
      };
  }));

   app.UseRouting();
   app.UseCookiePolicy();   
   app.UseCors(MyAllowSpecificOrigins);
   app.UseAuthentication();
   app.UseAuthorization();
   app.UseResponseCaching();
   app.MapControllerRoute(
       name: "default",
       pattern: "{controller=Home}/{action=Index}/{id?}");

   app.Run();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@martincostello @wangjunjx8868 @BrennanConroy @MackinnonBuck