Merge pull request #19253 from abpframework/How-to-share-the-cookies-between-subdomains

How to share the cookies between subdomains
2 years ago · ffe845d210
1 changed files with 85 additions and 0 deletions
--- a/docs/en/Community-Articles/2024-03-03-Share-Cookies-BetweenSubDomains/POST.md
+++ b/docs/en/Community-Articles/2024-03-03-Share-Cookies-BetweenSubDomains/POST.md
@ -0,0 +1,85 @@
+# How to share the cookies between subdomains
+
+## Introduction
+
+Sharing cookies between subdomains is a common requirement in web development. For example, you have a website with multiple subdomains, and you want to share the login status between these subdomains. Once a user logs in to one subdomain, the user should be logged in to all subdomains. 
+
+This article will show you how to achieve this in an ASP.NET Core application.
+
+## Implementation principle
+
+The `cookie` has a `Domain` attribute which specifies which server can receive a cookie.
+If specified, then cookies are available on the server and its subdomains. For example, if you set `Domain=.abp.io`, cookies are available on `abp.io` and its subdomains like `community.abp.io`.
+
+If the server does not specify a **Domain**, the cookies are available on the server but not on its subdomains. Therefore, specifying the **Domain** is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
+
+## Change the domain of the cookie in ASP.NET Core
+
+There is a `CookiePolicyMiddleware` in ASP.NET Core, you can add some policies to the `CookiePolicyOptions` during cookies are appended or deleted.
+
+We will add a policy to the `CookiePolicyOptions` to change the `domain` of the cookie:
+
+```csharp
+services.Configure<CookiePolicyOptions>(options =>
+{
+    options.OnAppendCookie = cookieContext =>
+    {
+        ChangeCookieDomain(cookieContext, null);
+    };
+
+    options.OnDeleteCookie = cookieContext =>
+    {
+        ChangeCookieDomain(null, cookieContext);
+    };
+});
+
+private static void ChangeCookieDomain(AppendCookieContext appendCookieContext, DeleteCookieContext deleteCookieContext)
+{
+    if (appendCookieContext != null)
+    {
+        // Change the domain of all cookies
+        //appendCookieContext.CookieOptions.Domain = ".abp.io";
+
+        // Change the domain of the specific cookie
+        if (appendCookieContext.CookieName == ".AspNetCore.Culture")
+        {
+            appendCookieContext.CookieOptions.Domain = ".abp.io";
+        }
+    }
+
+    if (deleteCookieContext != null)
+    { 
+        // Change the domain of all cookies
+        //appendCookieContext.CookieOptions.Domain = ".abp.io";
+
+        // Change the domain of the specific cookie
+        if (deleteCookieContext.CookieName == ".AspNetCore.Culture")
+        {
+            deleteCookieContext.CookieOptions.Domain = ".abp.io";
+        }
+    }
+}
+```
+
+Add the `app.UseCookiePolicy()` in the ASP.NET Core pipeline:
+
+```csharp
+//...
+app.UseStaticFiles();
+app.UseCookiePolicy();
+//...
+```
+
+If you check the HTTP response headers, you will see the `Set-Cookie` header with the `domain` attribute as follows:
+
+```http
+Set-Cookie: .AspNetCore.Culture=c%3Den%7Cuic%3Den; expires=Mon, 09 Mar 2026 02:00:00 GMT; domain=.abp.io; path=/
+```
+
+The subdomains can share the `.AspNetCore.Culture` cookie now.
+
+In another community article, we use the same middleware to [fix the Chrome login issue for the IdentityServer4](https://community.abp.io/posts/patch-for-chrome-login-issue-identityserver4-samesite-cookie-problem-weypwp3n)
+
+## Summary
+
+The `CookiePolicy` middleware provides a way to control cookies in an ASP.NET Core,  It is very useful if you have more complex requirements for Cookies.