We are currently working on a PoC Angular app that needs to communicate with multiple Service Stack APIs that are cookie based and have a custom credentials auth provider.
I am wondering what the recommended approach for authentication and cookie management would be in this case?
When I authenticate against Service A, I can see the ss-pid and ss-id cookies being sent on subsequent requests. Once I authenticate against Service B, it looks like the ss-pid and ss-id cookies are overwritten and these new values are sent to Service A and Service B.
Does this sound right?
From an architectural point of view, would you recommend other authentication providers like API Key management for this?
Also, if remember me is not set, does ss-id cookie work the same as how .Net auth cookies would be saved in browser vs. in a cookie?
If you’re getting different Cookies I’m assuming Service A and Service B are on different domains whereas the Cookies are unique per domain and reference a session stored on the server. If they’re just different subdomains you can restrict cookies to same domains.
Otherwise you could use JWT where the sessions are stateless and encapsulated in the ss-tok cookies.
Just to clarify a bit further - Service A and Service B are different subdomains on the same domain. However, if I share the cookies between sub-domain would I run the risk of the user’s session being shared across applications (which I do not want)? I am using Redis Cache client prefixed with the application name to store sessions - so this may not happen.
Or, do you suggest I use the SetCookieFilter to specify the domain/ path there so that the cookies are unique per subdomain?
This is ugly, you want to share cookies between 2 different services on the same sub domain, but not for other serivces sharing the same sub domain and shared distributed caching provider?
You’re making your system unnecessarily complex, it sounds like Service A and B should be in the same App which would be the easist solution. If you can’t do that you can use a reverse proxy like nginx to make it appear there the same app in the same subdomain by having paths like:
Otherwise use a different domain for Services you want to share sessions with or don’t share the same distributed caching provider between services you don’t want to share sessions with.
Sorry, I may not have explained my issue correctly here. Let me start again.
We have an Angular App that needs to talk to two different ServiceStack APIs - service1.domain.com and service2.domain.com. Both these are cookie based ServiceStack APIs.
These services do not need to share sessions or other user information between each other.
What we have noticed is that:
Angular app logs in to Service 1 and receives the ss-pid and ss-id http only cookies.
Angular app makes calls to api methods in service 1 and the cookies are validated succesfully.
Angular app logs in to Service 2 to access another set of API methods and receives the ss-pid and ss-id http only cookies.
Angular app makes calls to api methods in service 2 and the cookies are validated successfully.
Angular app makes a call to Service 1. This time, the cookies it receives are the ones generated in Step #3. Call to base.ExecuteAsync(req, res, requestDto); from our custom authentication attribute fails and returns a 401 error.
This is where I am getting confused:
Should I share the cookies between these two sub-domains Service 1 and Service 2? Will it cause issues with cookies being shared?
Or
Should I rather specify the domain/ path for the cookies so the cookies are unique per subdomain?
If Service 1 and Service 2 are on different sub domains then the Angular App would be sending different cookies to the different services? i.e. they’re treated as different sites and the cookies they receive for each Service are only going to be sent when calling Services on that domain.
Thanks Demis. This is exactly what I wanted to clarify. So could it be a localhost issue then as the domain coming through for the cookies is “” and the Path is “/” and the cookies for one are definitely overwriting the other.I will have a look again as well.