Membership cookie with subdomain v 10.4 Umbraco #help-with-umbraco

Membership cookie with subdomain v 10.4

rober_allsopp_eqtr

09/26/2023, 10:11 AM

Hi all, I have an umbraco website running on (e.g.) www.mydomain.com and a separate site running on sub.mydomain.com which logs in via an API. I've set this in my startup (above "services.AddUmbraco()" in case that's relevant) : services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromDays(365); options.Cookie.Domain = ".mydomain.com"; }); I can see the cookie lifespan being changed to 365 days but it's ignoring the cookie domain and the cookie value is still set to www.mydomain.com. This means when I log in via sub.mydomain.com no cookie is being returned. It logs me in, but I have no way of persisting that login if the user closes their browser. Is there another way I can set the cookie domain? Is it possible to set it from the API endpoint rather than startup? Thanks in advance!

huwred

09/26/2023, 10:15 AM

I think you need to do something like

huwred

09/26/2023, 10:16 AM

Copy code

csharp
services.ConfigureApplicationCookie(options =>
{
    var protectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"));

    options.Cookie.Name = ".AuthCookie";
    options.Cookie.Expiration = TimeSpan.FromDays(7);
    options.LoginPath = "/Account/Login";
    options.Cookie.Domain = ".example.com";
    options.DataProtectionProvider = protectionProvider;
    options.TicketDataFormat = new TicketDataFormat(protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2"));
});

huwred

09/26/2023, 10:17 AM

I believe the DataProtectionProvidor is the key https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-7.0

rober_allsopp_eqtr

09/26/2023, 10:34 AM

thank you @huwred, will give that a go. Would the API technically be a separate login path? I have a controller endpoint for www.mydomain.com which would be "/login", but the API endpoint is "api/account/login"?

crl

09/26/2023, 4:10 PM

@huwred will DirectoryInfo(@"c:\shared-auth-ticket-keys\" work on a azure webapp hosted approach rather than a server?

crl

09/26/2023, 4:10 PM

(I am working on this with Rob so going to try and implement this approach but as we are on webapps I wasn't sure it will work)

huwred

09/26/2023, 4:16 PM

Possibly not, you may need to play around with the directory path to get it to write to the file system

huwred

09/26/2023, 5:26 PM

The answer in this post might be the answer https://our.umbraco.com/forum/using-umbraco-and-getting-started/112694-umbraco-10-set-membership-domain-to-allow-subdomains

crl

09/26/2023, 8:38 PM

Thanks @huwred , I think Allen's comment is for the back office cookie rather than members?

crl

09/26/2023, 8:45 PM

I will give it a try tomorrow and post back here/ on forum if it works 🙂

8 Views

Previous Next