Set domain for authentication cookies on .NET Core

ServiceStack Authentication
1

Hello,

I am trying to get JWTToken authentication to work for services accesible through different subdomains. I’d like the Servicestack login API to return the ss-tok, ss-sid cookies set to domain “.mywebsite.dev” for which I’ve added subdomains to my hosts file. I am using login.mywebsite.dev to host the JWTAuthToken signing service for example.

I have tried using the both the web config approach as outlined here:

  <system.webServer>
    <httpCookies domain=".mywebsite.dev" />

and the RestrictAllCookiesToDomain approach outlined here:

SetConfig(new HostConfig
{
    DebugMode = AppSettings.Get("DebugMode", false),
    AddRedirectParamsToQueryString = true,
    RestrictAllCookiesToDomain = ".mywebsite.dev"
});

However both approaches do not seem to set a domain in the cookie headers received in the response:

Connection:keep-alive
Content-Type:application/json; charset=utf-8
Date:Wed, 14 Dec 2016 14:17:06 GMT
Server:nginx/1.4.6 (Ubuntu)
Set-Cookie:ss-id=GODjtqGB5UEwrD5QEn4g; path=/
Set-Cookie:ss-pid=8jzMkf8zHO5ht2RjlA9e; expires=Sun, 14 Dec 2036 14:17:05 GMT; path=/
Set-Cookie:ss-opt=temp; expires=Sun, 14 Dec 2036 14:17:05 GMT; path=/
Set-Cookie:X-UAId=18; expires=Sun, 14 Dec 2036 14:17:06 GMT; path=/
Set-Cookie:ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IlE5dSJ9.eyJzdWIiOjE4LCJpYXQiOjE0ODE3MjUwMjYsImV4cCI6MTQ4MjkzNDYyNiwiZW1haWwiOiJhZG1pbkBvcmRlcmJhc2UubmwiLCJnaXZlbl9uYW1lIjoiU3VwZXIiLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwibmFtZSI6IlN1cGVyIEFkbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3VwZXIifQ.FPwi78nUVHxDg7Rfn5OZ4HMF4Zl5cG_2MPaZ9pWCOF8; expires=Wed, 28 Dec 2016 14:17:06 GMT; path=/; httponly
Transfer-Encoding:chunked
Vary:Accept
X-Powered-By:ServiceStack/1.030 NETStandard/.NET

Am I doing something wrong? Have I run into a .NET Core/Kestrel thing? Any insight would be much appreciated.

I am currently using the following packages in my project.json file.

{
  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.0.1",
      "type": "platform"
    },
    "ServiceStack.Core": "1.0.*",
    "ServiceStack.Redis.Core": "1.0.*",
    "ServiceStack.Common.Core": "1.0.*",
    "ServiceStack.Client.Core": "1.0.*",
    "ServiceStack.Interfaces.Core": "1.0.*",
    "ServiceStack.Text.Core": "1.0.*",
    "Microsoft.AspNetCore.Diagnostics": "1.0.0",
    "Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.1",
    "Microsoft.Extensions.Logging.Console": "1.0.0",
    "Microsoft.Extensions.Configuration": "1.0.0",
    "Microsoft.Extensions.Configuration.Json": "1.0.0"
  },

  "tools": {
    "Microsoft.AspNetCore.Server.IISIntegration.Tools": "1.0.0-preview2-final",
    "Microsoft.DotNet.Watcher.Tools": "1.0.0-preview2-final"
  },

  "frameworks": {
    "netcoreapp1.0": {
      "imports": [
        "dotnet5.6",
        "portable-net45+win8"
      ]
    }
  },
}
2

RestrictAllCookiesToDomain option did not work in .NET Core and this behavior should be fixed with this commit.

It will be available in ServiceStack.Core after merging to master branch.

1 Like
3

Ah thank you very much for the quick turnaround on this. :slight_smile:

4

Hi,

@xplicit - It’s not working in my case. Both ss-id and ss-pid are getting the full domain and ignore RestrictAllCookiesToDomain.

It looks like SetCookie() is not called for NetCoreCookie here:

AddSessionCookie(string cookieName, string cookieValue, bool? secureOnly = null) is not using the explicit implementation and just appending the Cookie directly to the response with response.Cookies.Append(cookieName, cookieValue, options).

I think it should also call SetCookie() so the options get created by ToCookieOptions(this Cookie cookie).

Or did I miss something?

5

I created a small PR#1114 - would be great if this can be reviewed.

Thanks

6

@sergLo You’re right, AddSessionCookie() should call NetCoreResponse.SetCookie() instead of just appending it to cookies collection. Can you briefly describe your scenario when RestrictAllCookiesToDomain setting is ignored, I will add this case to unit tests.

As for PR it looks good, thanks!

7

Hi @xplicit ,

Scenario:
NET Core (its working fine for .NET Full as we already using it this way)

User authenticates (CredentialsAuthProvider) on a subdomain and on an other subdomain the session is gone because the session cookie is bound to first subdomain page.

Steps:

  1. Go to team1.exmaple.com
  2. Login (Cookie gets bounded to team1.exmaple.com)
  3. Go to team2.example.com
  4. Session is gone and the user has to login again

Result:
This is an expected behavior when Config.RestrictAllCookiesToDomain is not set.
If Config.RestrictAllCookiesToDomain = “example.com” is provided the session should
remain intact for all .example.com subdomains.

Thanks for reviewing.

8

@xplicit @mythz - Can this be merged and deployed as pre-release? I don’t want to push hard - but this is a very important fix for us.

Thanks

9

@sergLo this change is merged into master branch so it’s ready for pushing to nuget.

10

@sergLo This fix in ServiceStack.Core v1.0.35 is available on nuget

1 Like
11

Works :thumbsup: - thanks.