0

I have 2 Asp.Net Core 2.2 applications and I want to share session between them. I've set up session in a SQL database and both connect ok. They are on different sub domains. I understand that I can set the Cookie.Domain the startup file, which would solve the problem at a basic level, so each application would create the cookie such that it can be accessed. e.g. 

Domain 1. "www.website.com"
Domain 2. "dashboard.website.com"

At present these sites can't access each others session cookie.

If I set the domain cookie to ".website.com", both should be able to access this.

The problem is that we have multiple domains that use this website, so it could be: 

www.domain1.com
dashboard.domain1.com

www.domain2.com
dashboard.domain2.com

www.domain3.com
dashboard.domain3.com

I need to be able to inject the current host name into the startup cookie domain, in order to have it dynamically set, depending on the domain of the active website.

Is this at all possible?

Thanks in advance, David

David Hendrick
  • 93
  • 2
  • 13

1 Answers1

0

No, it's not possible. Cookies are domain-bound. You can set a wildcard for the subdomain portion on the cookie, which would then allow it to be seen by example.com, www.example.com, foo.example.com, etc. but you can cannot share with an entirely different domain altogether, such as example2.com.

Your only option in this case is an Identity provider like IdentityServer, Auth0, Azure AD, etc. The way these work is that the auth cookie is set at the provider, and then each individual app is authorized against that provider. As such, they can receive the user principal from the provider, without having the actual auth cookie or their own login functionality.

UPDATE

If you just need to share between sites on the same primary domain, then follow the instructions in the docs. That's focused on auth cookies. If you need to share sessions as well, the same procedure applies, but you must additionally have a true distributed cache setup (Redis, SQL Server, etc.). There's a distributed memory cache, but that's just a default implementation, and it's not actually distributed.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444
  • Thanks for your reply. Perhaps I wasn't entirely clear. I don't want all domains to see each other. I want www.domain1.com to see dashboard.domain1.com. I want www.domain2.com to see dashboard.domain2.com. I don't need www.domain1.com to see dashboard.domain2.com – David Hendrick Jul 26 '19 at 16:54
  • I need to be able to inject the running domain into the setup of the cookie. – David Hendrick Jul 26 '19 at 16:55
  • Thanks Chris. The problem I'm having is how to support the different variants we have. i.e. we need to have different cookie domains, but each only needs to be able to access it's own domain. For that reason I can't just add ".domain1.com" as I need to be able to support ".domain2.com". I don't need domain1 and domain 2 to share session, I do need www.domain1.com to share with dashboard.domain1.com and also for www.domain2.com to share session with dashboard.domain2.com. Thanks – David Hendrick Jul 29 '19 at 08:55