Sharing cookies between 2 .NET Core Applications DataProtectionProvider

Question

I am trying to share the authentication cookie between three web applications set up under single website in IIS. The first two are both .NET Core 2.1 applications and Im struggling to even get them to share it. My problem is the same as

Sharing Cookies Between Two ASP.NET Core Applications

but I cant get it to work in my environment. I have read "Sharing cookies among apps with ASP.NET and ASP.NET Core." and downloaded the "Cookie Sharing App Sample" and got it working (as the third app is ASP.NET) and now my code in StartUp.cs looks like this in both the 2 .NET Core applications

services.AddDataProtection()
    .PersistKeysToFileSystem(new 
     DirectoryInfo(persistKeysToFileSystemDirectory))
            .SetApplicationName(applicationName);

        services.ConfigureApplicationCookie(options => {
            options.Cookie.Name = cookieName;
            options.Cookie.SameSite = SameSiteMode.Lax;
            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
        });

If the two application solutions run under localhost on my local machine (IISEXPRESS)

http:\localhost:8174\

http:\localhost:8175\

they work fine but when I deploy to the server (IIS) the url becomes

http:\devserver1:8000\App1

http:\devserver1:8000\App2

and they do not share the authentication

If I change my local solutions to run as

http:\localhost:8174\App1

http:\localhost:8175\App2

They do not share the authentication

I didnt think that I had to set the cookie domain property as they are all under the same site however I have experimented with locally

options.Cookie.Domain = "localhost";

and on the server

options.Cookie.Domain = "devserver1";

and nothing works and sometimes it wont even let me login (invalid domain?)

Any help would be appreciated

** UPDATE **

I am getting anxious and have progressed it and have more to add.

if I set the Applications up as separate web sites with different ports on devserver1

http:\devserver1:8174\

http:\devserver1:8175\

It works and they share the authentication (also I have not had to set the options.Cookie.Domain value) - however I will not be able to refer from one to the other using the relative url anymore so App1 will not be able to go to \App2 - I will have to use the full url - but at least it works

Its not the end of the world but this seems to undermine the whole concept of Applications in IIS Websites (what the point of them?) so Im starting to wonder whether the way Im setting up IIS is the problem.

I create an empty Website and then "Add Application" for each of my applications

Currently I am just trying to get this working on the Development server (devserver1) so I dont set up Host names as such I just refer to the webserver by the machine name

This all worked fine under FormsAuthentication sharing the machine key and Im really beginning to regret I started looking at .NET Core

Any help will be greatly appreciated

Answer 1

Try setting the cookie path value as below. By default it'll be restricted to App1 or App2 (my experience).

options.Cookie.Path = "/";

Check Controlling Cookie Scope.

Answer 2

I got it, for this I did the following:

I created one website, and add 2 applications, like you:

http:\devserver1:8000\App1, http:\devserver1:8000\App2

Then use below in StartUp:

services.AddDataProtection()
.PersistKeysToFileSystem(new 
 DirectoryInfo(persistKeysToFileSystemDirectory))
        .SetApplicationName(applicationName);

    services.ConfigureApplicationCookie(options => {
        options.Cookie.Name = cookieName;
        options.Cookie.Path = "/";// it's necessary, because by default cookie Path for App1 will be /App1, and for App2 /App2.
    });

Setting domain is not necessary, as I understood, will take domain by default