I'm working on a .net website that uses cookies for forms authentication and I wanted to add another secure cookie to hold access and refresh tokens. The cookie is being added to the Response.Cookies and everything seems fine. I used fiddler to inspect the response headers to make sure the Set-Cookie header was being set.
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /
Set-Cookie:
TestTokenCookie=(truncated for brevity);
domain=local.foobar.com;
expires=Sun, 18-Nov-2018 14:42:56 GMT;
path=/
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=Edge,chrome=1
Date: Mon, 20 Aug 2018 13:42:59 GMT
Content-Length: 118
The response looks correct but no cookie appears in the browser for it. I'm using Edit This Cookie chrome extension to view what cookies have been set. Here's the code for setting the cookie that I used.
public void CreateTokenCookie(TokenCookieData tokenCookieData, HttpContextBase currentContext, bool createPersistentTicket = true)
{
var ticket = new FormsAuthenticationTicket(1,
tokenCookieData.Username,
DateTime.Now,
DateTime.Now.AddDays(90),
createPersistentTicket,
tokenCookieData.ToString());
CreateCookieFromTicket(ticket, TOKEN_COOKIE_NAME, true, currentContext);
}
private void CreateCookieFromTicket(FormsAuthenticationTicket ticket, string cookieName, bool httpOnly, HttpContextBase currentContext)
{
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(cookieName, encryptedTicket)
{
HttpOnly = httpOnly,
Secure = FormsAuthentication.RequireSSL,
Path = FormsAuthentication.FormsCookiePath,
Expires = ticket.Expiration
};
var domain = GetCookieDomain();
if (domain != null)
{
cookie.Domain = domain;
}
if (currentContext.Response.Cookies[cookieName] != null)
{
currentContext.Response.Cookies.Remove(cookieName);
}
currentContext.Response.Cookies.Add(cookie);
}
Any ideas why the cookie is not being set in the browser?
