Set domain for authentication cookies on .NET Core


I am trying to get JWTToken authentication to work for services accesible through different subdomains. I’d like the Servicestack login API to return the ss-tok, ss-sid cookies set to domain “” for which I’ve added subdomains to my hosts file. I am using to host the JWTAuthToken signing service for example.

I have tried using the both the web config approach as outlined here:

    <httpCookies domain="" />

and the RestrictAllCookiesToDomain approach outlined here:

SetConfig(new HostConfig
    DebugMode = AppSettings.Get("DebugMode", false),
    AddRedirectParamsToQueryString = true,
    RestrictAllCookiesToDomain = ""

However both approaches do not seem to set a domain in the cookie headers received in the response:

Content-Type:application/json; charset=utf-8
Date:Wed, 14 Dec 2016 14:17:06 GMT
Server:nginx/1.4.6 (Ubuntu)
Set-Cookie:ss-id=GODjtqGB5UEwrD5QEn4g; path=/
Set-Cookie:ss-pid=8jzMkf8zHO5ht2RjlA9e; expires=Sun, 14 Dec 2036 14:17:05 GMT; path=/
Set-Cookie:ss-opt=temp; expires=Sun, 14 Dec 2036 14:17:05 GMT; path=/
Set-Cookie:X-UAId=18; expires=Sun, 14 Dec 2036 14:17:06 GMT; path=/
Set-Cookie:ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IlE5dSJ9.eyJzdWIiOjE4LCJpYXQiOjE0ODE3MjUwMjYsImV4cCI6MTQ4MjkzNDYyNiwiZW1haWwiOiJhZG1pbkBvcmRlcmJhc2UubmwiLCJnaXZlbl9uYW1lIjoiU3VwZXIiLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwibmFtZSI6IlN1cGVyIEFkbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3VwZXIifQ.FPwi78nUVHxDg7Rfn5OZ4HMF4Zl5cG_2MPaZ9pWCOF8; expires=Wed, 28 Dec 2016 14:17:06 GMT; path=/; httponly
X-Powered-By:ServiceStack/1.030 NETStandard/.NET

Am I doing something wrong? Have I run into a .NET Core/Kestrel thing? Any insight would be much appreciated.

I am currently using the following packages in my project.json file.

  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.0.1",
      "type": "platform"
    "ServiceStack.Core": "1.0.*",
    "ServiceStack.Redis.Core": "1.0.*",
    "ServiceStack.Common.Core": "1.0.*",
    "ServiceStack.Client.Core": "1.0.*",
    "ServiceStack.Interfaces.Core": "1.0.*",
    "ServiceStack.Text.Core": "1.0.*",
    "Microsoft.AspNetCore.Diagnostics": "1.0.0",
    "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
    "Microsoft.Extensions.Logging.Console": "1.0.0",
    "Microsoft.Extensions.Configuration": "1.0.0",
    "Microsoft.Extensions.Configuration.Json": "1.0.0"

  "tools": {
    "Microsoft.AspNetCore.Server.IISIntegration.Tools": "1.0.0-preview2-final",
    "Microsoft.DotNet.Watcher.Tools": "1.0.0-preview2-final"

  "frameworks": {
    "netcoreapp1.0": {
      "imports": [

RestrictAllCookiesToDomain option did not work in .NET Core and this behavior should be fixed with this commit.

It will be available in ServiceStack.Core after merging to master branch.

1 Like

Ah thank you very much for the quick turnaround on this. :slight_smile:


@xplicit - It’s not working in my case. Both ss-id and ss-pid are getting the full domain and ignore RestrictAllCookiesToDomain.

It looks like SetCookie() is not called for NetCoreCookie here:

AddSessionCookie(string cookieName, string cookieValue, bool? secureOnly = null) is not using the explicit implementation and just appending the Cookie directly to the response with response.Cookies.Append(cookieName, cookieValue, options).

I think it should also call SetCookie() so the options get created by ToCookieOptions(this Cookie cookie).

Or did I miss something?

I created a small PR#1114 - would be great if this can be reviewed.


@sergLo You’re right, AddSessionCookie() should call NetCoreResponse.SetCookie() instead of just appending it to cookies collection. Can you briefly describe your scenario when RestrictAllCookiesToDomain setting is ignored, I will add this case to unit tests.

As for PR it looks good, thanks!

Hi @xplicit ,

NET Core (its working fine for .NET Full as we already using it this way)

User authenticates (CredentialsAuthProvider) on a subdomain and on an other subdomain the session is gone because the session cookie is bound to first subdomain page.


  1. Go to
  2. Login (Cookie gets bounded to
  3. Go to
  4. Session is gone and the user has to login again

This is an expected behavior when Config.RestrictAllCookiesToDomain is not set.
If Config.RestrictAllCookiesToDomain = “” is provided the session should
remain intact for all subdomains.

Thanks for reviewing.

@xplicit @mythz - Can this be merged and deployed as pre-release? I don’t want to push hard - but this is a very important fix for us.


@sergLo this change is merged into master branch so it’s ready for pushing to nuget.

@sergLo This fix in ServiceStack.Core v1.0.35 is available on nuget

1 Like

Works :thumbsup: - thanks.