Cookie change (ss-id) when opening the website from a link from a different website

paul1 · January 30, 2024, 8:55am

Hi,

I have a issue with login information which disappears. Suddenly users log out sometimes. I have it myself in the following situation:

I go to my website and login. On e.g. http://localhost:5005/dashboard. If I reload the page I can see I am still loggedin.
I go to a page on a different domain (e.g a local html file) There is a link like this:
<a href='http://localhost:5005/dashboard' target='_blank'>link</a>.
If I open this link I go to my page but my login information is gone and I have to login again.

When I check the cookies I see that all are the same except for ss-pid and ss-id. There is a new ss-pid and ss-id.

How can I change this? I don’t want to have my login information gone if I click on a link to my website from another website.

I wanted to see if I could reproduce this issue in the example project GitHub - NetCoreApps/SimpleAuth.Mvc: Simple Auth demo showcasing integration with ServiceStack and ASP.NET .NET Core MVC but that project was a bit outdated. I also looked at GitHub - NetCoreTemplates/blazor: .NET 8 Blazor Tailwind App Template but that one also didn’t work out of the box for me. Hopefully the explanation above is enough.

mythz · January 30, 2024, 10:22am

Cookies are tied to a domain, where by a request to a different domain is considered a cross-site request in which cookies aren’t shared.

To be able to share cookies the requests would need to come from the same domain, if they’re different apps you can serve them behind an external reverse proxy like NGINX Reverse Proxy, IIS Reverse Proxy using URL Rewrite and Application Request Routing or a .NET Reverse Proxy like YARP.

To avoid an external Reverse Proxy you could use the Proxy Feature which will let you proxy requests from a .NET App /path to proxy HTTP Requests to an external .NET App on a different domain.

Alternatively you could use a Bearer Token Auth Provider like JWT Auth Provider or API Key Auth Provider where you can specify the authenticated JWT in a Service Client’s client.bearerToken to make Authenticated Requests to different domains.

paul1 · January 30, 2024, 3:55pm

Hi,
Thank you for your reply. The fact is that I am still on one domain. The link is only on another domain but that shouldn’t matter - it is just a link.

I put up an example here:
https://www.meesterklaas.nl/restfiles/temp/test.html
this is just a static html page. It has a link to another website wozzol.nl. If you are logged in on Wozzol and if you click on the link on the html page again you are logged out on wozzol.nl. Very strange.

It works good on your account.servicestack.net. I’ll try to create a reproducable demo tomorrow.

mythz · January 30, 2024, 4:15pm

It’s because your test page is on a different domain so when you navigate to it from a different domain it doesn’t include any of the existing cookies for that domain which forces ServiceStack to re-create missing session cookies.

I would move that page to a page under https://www.wozzol.nl/ so any links to itself will include the existing cookies.

You can also try relaxing the same-site cookies behavior, e.g:

SetConfig(new HostConfig {
    // Configure cookies to use SameSite=[null:Lax,true:Strict,false:None]
    UseSameSiteCookies = false
});

paul1 · January 31, 2024, 11:32am

Ah, that was what I was searching for. I had UseSameSiteCookies set to true for some reason. After changing it to null everything worked as I wanted it to. Thank you again!