0

I have two AspNetCore sites that are hosted on the same host. I am trying to detangle their cookies so that it does not overload the max size that is allowed in headers.

I read on google's site that both the Domain and Path are used to decide which requests get which cookies. The domain is set as the host name. But Path seems to be just what I need.

But when I try to set the path, it never actually changes. I have tried two different ways. For both, the code looks like this:

cookieAuthenticationOptions.Cookie.Path = "/MyAppRootPath";

The first method adds this code to services.AddAuthentication(...).AddCookie(...)

The other is the same code, but done in services.ConfigureApplicationCookie(...). (From this question.)

For both ways, when I look at my cookies in Chrome dev tools, the path is still set to the default of /:

Cookies with path of forward slash

How can I get the path of my cookies set to something other than the default of /?

Vaccano
  • 78,325
  • 149
  • 468
  • 850

2 Answers2

1

Quote from MDN:

The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories match as well.

If you configure the cookie path like this:

cookieAuthenticationOptions.Cookie.Path = "/MyAppRootPath";

This cookie is only available with the path Domain/MyAppRootPath or Domain/MyAppRootPath/....

I test three cookies with different path.

services.AddAuthentication()
    .AddCookie("Cookie1", options => 
    {
        options.Cookie.Name = "Cookie1";
        options.Cookie.Path = "/";
    })
    .AddCookie("Cookie2", options =>
    {
        options.Cookie.Name = "Cookie2";
        options.Cookie.Path = "/Home";
    })
    .AddCookie("Cookie3", options =>
    {
        options.Cookie.Name = "Cookie3";
        options.Cookie.Path = "/Home/Test";
    });

Result:

https://localhost:44396/

enter image description here

https://localhost:44396/Home

enter image description here

https://localhost:44396/Home/Test

enter image description here

mj1313
  • 7,930
  • 2
  • 12
  • 32
  • So odd... That just does not work for me. Regardless of what I set it to, it stays as `/`. – Vaccano Dec 21 '20 at 18:43
  • Hi @Vaccano could you please share a Minimal, Complete, and Verifiable example, which would help troubleshoot the issue. – mj1313 Dec 23 '20 at 09:22
  • Turns out that when hosted in IIS the path is automatically set. While I would like to know why I can't set the path, I am hosting in IIS for my current project. So I will just use that to get the path set. Thank you for your help! – Vaccano Dec 23 '20 at 18:23
0

I'm 2 years late, but in my case it was because of cookie name comes with cookie prefix __Host-. It requires secure set to true and path is "/", so you cannot change the path (here is the link for more detail: https://googlechrome.github.io/samples/cookie-prefixes/). We can use prefix __Secure-* to be able to set the custom path.

PeaceOfCode
  • 41
  • 5