ServiceStack cookies and Path

sviluppo · June 6, 2018, 1:24pm

Hi, my ServiceStack app has 3 “sections” with separate sessions.

I have the need to use 3 different cookies, that differs only by path. The login procedure should generate a cookie with the respective Path.

Example:
`https://my.app.com/mainSection/login`
Cookie Domain: `app.com`
Cookie Path: `/mainSection`

https://my.app.com/otherSection/login
Cookie Domain: app.com
Cookie Path: /otherSection

How can I configure ServiceStack to do that?

mythz · June 6, 2018, 8:10pm

You can return your own Cookies with:

return new HttpResult(responseDto)
{
    Cookies = {
        new Cookie(name, value, path) {
            HttpOnly = true,
            Secure = Request.IsSecureConnection,
            Expires = DateTime.UtcNow.Add(jwtAuthProvider.ExpireTokensIn),
        }
    }
};

But you couldn’t change the built-in Cookies for ServiceStack Sessions only if they should be returned by overriding AppHost.AllowSetCookie(). I’ve just added AppHost.SetCookieFilter() in this commit. This change is available from v5.1.1 that’s now available on MyGet.

sviluppo · June 8, 2018, 9:47am

The SetCookieFilter seems to be the solutions we are looking for, but it does not seem to work on the ss-id cookie:

All other cookies are fine, but ss-id does not get the new Path, although I can see that SetCookieFilter is getting called for that cookie.

The ss-id cookie is the cookie we need this feature the most.

mythz · June 8, 2018, 1:36pm

You may have existing cookies or the path doesn’t match the request as overriding SetCookieFilter is setting the cookie path:

public override bool SetCookieFilter(IRequest req, Cookie cookie)
{
    cookie.Path = "/hello";   
    return base.SetCookieFilter(req, cookie);
}

sviluppo · June 8, 2018, 2:09pm

Edit: Found that! The following line is what is causing my problem. Why is it like that? You don’t have that error because you are using IIS, while I’m using the self-host version.

github.com

ServiceStack/ServiceStack/blob/e62ecdc963085dc07f437bfb569577de9be7e9f0/src/ServiceStack/Host/Cookies.cs#L116


      
                      else if (HostContext.Config.RestrictAllCookiesToDomain != null)
                      {
                          cookieOptions.Domain = HostContext.Config.RestrictAllCookiesToDomain;
                      }
                      return cookieOptions;
                  }
          #endif
          
          
        public static string AsHeaderValue(this Cookie cookie)
                  {
                      var path = cookie.Expires == Session
                          ? "/"
                          : cookie.Path ?? "/";
          
          
            var sb = StringBuilderCache.Allocate();
          
          
            sb.Append($"{cookie.Name}={cookie.Value};path={path}");
          
          
            if (cookie.Expires != Session)
                      {
                          sb.Append($";expires={cookie.Expires:R}");

This is my result:

I’m using a custom CredentialsAuthProvider. Do you have any clue on why only that cookie works like that?

This is my override for SetCookieFilter

public override bool SetCookieFilter(IRequest req, Cookie cookie)
{
    string module = GetModuleName(req);

    cookie.Path = string.Format("/{0}", module ?? "");
    Console.WriteLine(string.Format("{0} '{1}'", cookie.Name, cookie.Path);

    return base.SetCookieFilter(req, cookie);
}

This is an example output of that Console.WriteLine:

I’ve tested with Firefox and Insomnia, with and without old cookies (and Incognito mode).

mythz · June 8, 2018, 3:02pm

Not sure the logic of a / for session cookies has basically been there since the start and its behavior retained through multiple refactoring. From what I can tell from the earliest source code it was due to SetSessionCookie(name,value) only having 2 arguments to maintain a simple API, so I’m assuming it’s not necessary as the other hosts don’t have this behavior.

I’ve changed it to use cookie.Path if it exists in this commit, this change is available from the latest v5.1.1 that’s now available on MyGet.

sviluppo1 · June 11, 2018, 2:45pm

It works fine, but the ServerEvents paths seems not to understand the “{ignore}” placeholder. Is it possible to implement the same routing policy of the other paths?

var serverEvents = new ServerEventsFeature
            {
                LimitToAuthenticatedUsers = true,

                IdleTimeout = TimeSpan.FromSeconds(90),

                HeartbeatInterval = TimeSpan.FromSeconds(30),

                NotifyChannelOfSubscriptions = false,
            };

            serverEvents.HeartbeatPath = $$"/{{ignore}}/{serverEvents.HeartbeatPath}";
            serverEvents.StreamPath = $$"/{{ignore}}/{serverEvents.StreamPath}";
            serverEvents.SubscribersPath = $$"/{{ignore}}/{serverEvents.SubscribersPath}";
            serverEvents.UnRegisterPath = $$"/{{ignore}}/{serverEvents.UnRegisterPath}";

mythz · June 11, 2018, 2:49pm

No it’s not a Route, it’s an path endpoint.

mythz · June 11, 2018, 3:42pm

No it’s not possible, it needs to be a single static path. The SSE event-stream is not a Service, it’s a long-running HTTP Handler, they’re used to generate URLs which are sent to the client which use them verbatim.

There can only be a single path, if you want to pass custom params pass them on the queryString.

sviluppo1 · June 12, 2018, 9:05am

Querystring is not an options since we are talking about Cookie Path.

Anyway, I’d set up a ProxyFeature that basically does what {ignore} does, if anyone need this:

Plugins.Add(new ProxyFeature(
                req => Regex.IsMatch(req.PathInfo, @"^(\/[^\/]*)*?\/event-.*$"),
                req => Regex.Replace(req.PathInfo, @"^\/[^\/]*", "")
            ));

ServiceStack cookies and Path

Example: https://my.app.com/mainSection/login Cookie Domain: app.com Cookie Path: /mainSection

Example:
`https://my.app.com/mainSection/login`
Cookie Domain: `app.com`
Cookie Path: `/mainSection`