Cookie Domain not working

[wangjunjx8868]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

current .NET 8.0
Cookie. Domain not working,

   builder.Services.AddAuthentication(options =>
   {
       options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
   })
    .AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
   {
       options.LoginPath = new PathString("/User/Login");
       options.LogoutPath = "/User/Logout";//
       options.AccessDeniedPath = new PathString("/User/Denied");
       options.Cookie.Domain = ".example.com";
       options.Cookie.Name = ".AspNet.SharedCookie";
       options.Cookie.Path = "/";
     
   })

On signed In,
Edge browser and browser F12 key,view cookie ,I found that it automatically brought the www，result is .www.example.com,why?

Expected Behavior

On signed In Cookie Domain is .example.com

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8.0.101

Anything else?

No response

[martincostello]

Do you get the same behaviour if you remove the . from the start of the value?

[BrennanConroy]

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header.

[wangjunjx8868]

Do you get the same behaviour if you remove the . from the start of the value?

yes,remove . ,result is www.example.com , my sub domain website(abc.example.com) not share this cookie also

[wangjunjx8868]

Do you get the same behaviour if you remove the . from the start of the value?

if framework website set domain result .example.com not .www.example.com,

     FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, "admin", DateTime.Now, DateTime.Now.AddDays(1),true, stuId.ToString(), "/");
     HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
     cookie.HttpOnly = true;
     cookie.Domain = "example.com";

[wangjunjx8868]

Do you get the same behaviour if you remove the . from the start of the value?

It also seems very unlikely that we are adding www to your cookie, I'd guess it's something the browser is doing.

You could verify by deleting the cookie and looking at the response and viewing the Set-Cookie header.

  {
      options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
  })
   .AddCookie(StudentAuthorizeAttribute.AuthenticationScheme, options =>
  {
      options.LoginPath = new PathString("/Account/Login");
      options.LogoutPath = "/Account/Logout";//
      options.AccessDeniedPath = new PathString("/Account/Denied");
      options.Cookie.Domain = "example.com";// or .example.com
      //options.Cookie.Domain = ".example.com";// 
      options.Cookie.Name = ".AspNet.SharedCookie";
      options.Cookie.Path = "/";
      options.Cookie.HttpOnly = true;
      options.ExpireTimeSpan = TimeSpan.FromDays(1); // 
      options.SlidingExpiration = true; // 
      
      };
  }));

   app.UseRouting();
   app.UseCookiePolicy();   
   app.UseCors(MyAllowSpecificOrigins);
   app.UseAuthentication();
   app.UseAuthorization();
   app.UseResponseCaching();
   app.MapControllerRoute(
       name: "default",
       pattern: "{controller=Home}/{action=Index}/{id?}");

   app.Run();

[halter73]

What does the Set-Cookie response header for the authentication cookie look like? What is the full URL for the request containing the Set-Cookie header? And what are the full URLs for the requests that are missing the Cookie header in the request?

Have you looked at https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent?

[dotnet-policy-service]

Hi @wangjunjx8868. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.