search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.55k stars 10.05k forks source link

Cookie Domain not working #59070

Open wangjunjx8868 opened 3 days ago

wangjunjx8868 commented 3 days ago

Is there an existing issue for this?

Describe the bug

current .NET 8.0 Cookie. Domain not working,

   builder.Services.AddAuthentication(options =>
   {
       options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
   })
    .AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
   {
       options.LoginPath = new PathString("/User/Login");
       options.LogoutPath = "/User/Logout";//
       options.AccessDeniedPath = new PathString("/User/Denied");
       options.Cookie.Domain = ".example.com";
       options.Cookie.Name = ".AspNet.SharedCookie";
       options.Cookie.Path = "/";

   })

On signed In, Edge browser and browser F12 key,view cookie ,I found that it automatically brought the www,result is .www.example.com,why?

Expected Behavior

On signed In Cookie Domain is .example.com

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.101

Anything else?

No response

martincostello commented 3 days ago

Do you get the same behaviour if you remove the . from the start of the value?

BrennanConroy commented 3 days ago

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header.

wangjunjx8868 commented 3 days ago

Do you get the same behaviour if you remove the . from the start of the value?

yes,remove . ,result is www.example.com , my sub domain website(abc.example.com) not share this cookie also

wangjunjx8868 commented 3 days ago

Do you get the same behaviour if you remove the . from the start of the value?

if framework website set domain result .example.com not .www.example.com,

     FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, "admin", DateTime.Now, DateTime.Now.AddDays(1),true, stuId.ToString(), "/");
     HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
     cookie.HttpOnly = true;
     cookie.Domain = "example.com";
wangjunjx8868 commented 3 days ago

Do you get the same behaviour if you remove the . from the start of the value?

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header. Image


{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
{
options.LoginPath = new PathString("/Account/Login");
options.LogoutPath = "/Account/Logout";//
options.AccessDeniedPath = new PathString("/Account/Denied");
options.Cookie.Domain = "example.com";// or .example.com
//options.Cookie.Domain = ".example.com";// 
options.Cookie.Name = ".AspNet.SharedCookie";
options.Cookie.Path = "/";
options.Cookie.HttpOnly = true;
options.ExpireTimeSpan = TimeSpan.FromDays(1); // 
options.SlidingExpiration = true; // 
  };

}));

app.UseRouting(); app.UseCookiePolicy();
app.UseCors(MyAllowSpecificOrigins); app.UseAuthentication(); app.UseAuthorization(); app.UseResponseCaching(); app.MapControllerRoute( name: "default", pattern: "{controller=Home}/{action=Index}/{id?}");

app.Run();