search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

IdentityServer3 Cookie Paths #3282

Open ionutcalin opened 8 years ago

ionutcalin commented 8 years ago

Issue

During my tests I've played with cookie options to restrict the path for which the cookies are issued, so that I can avoid the browser sending to many cookies on each trip.

Now the following cookies do not respect the Path set in IdentityServerOptions->AuthenticationOptions->CookieOptions:

.idsrv.xsrf .idsvr.session .idsvr.session .SignOutMessage .SignInMessage Obs: All these cookies are always issued for the path of the virtual directory where the IdentityServer is mapped.

Only the authentication cookie (with IdentiyServer3) .idsrv respects the path.

Is this by design?

PS On the other hand the cookie prefix set is ok, meaning is respected by all the cookies.

brockallen commented 8 years ago

I'd have to go thru the code and look at each one (which I don't have time for now), but we do need many of those cookies in various places in IdSvr. Allowing the path to be changed might break different things in IdSvr.

snothub commented 6 years ago

Is there any place to look for description of all the cookies that can get issued, what they are used for and their lifetime? Lot of clients/organizations require this information.

brockallen commented 6 years ago

@snothub I don't think we have anything formal on that, Sorry.