diff --git a/docs/en/Community-Articles/2024-03-03-Share-Cookies-BetweenSubDomains/POST.md b/docs/en/Community-Articles/2024-03-03-Share-Cookies-BetweenSubDomains/POST.md new file mode 100644 index 0000000000..b4c7e00289 --- /dev/null +++ b/docs/en/Community-Articles/2024-03-03-Share-Cookies-BetweenSubDomains/POST.md @@ -0,0 +1,85 @@ +# How to share the cookies between subdomains + +## Introduction + +Sharing cookies between subdomains is a common requirement in web development. For example, you have a website with multiple subdomains, and you want to share the login status between these subdomains. Once a user logs in to one subdomain, the user should be logged in to all subdomains. + +This article will show you how to achieve this in an ASP.NET Core application. + +## Implementation principle + +The `cookie` has a `Domain` attribute which specifies which server can receive a cookie. +If specified, then cookies are available on the server and its subdomains. For example, if you set `Domain=.abp.io`, cookies are available on `abp.io` and its subdomains like `community.abp.io`. + +If the server does not specify a **Domain**, the cookies are available on the server but not on its subdomains. Therefore, specifying the **Domain** is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user. + +## Change the domain of the cookie in ASP.NET Core + +There is a `CookiePolicyMiddleware` in ASP.NET Core, you can add some policies to the `CookiePolicyOptions` during cookies are appended or deleted. + +We will add a policy to the `CookiePolicyOptions` to change the `domain` of the cookie: + +```csharp +services.Configure(options => +{ + options.OnAppendCookie = cookieContext => + { + ChangeCookieDomain(cookieContext, null); + }; + + options.OnDeleteCookie = cookieContext => + { + ChangeCookieDomain(null, cookieContext); + }; +}); + +private static void ChangeCookieDomain(AppendCookieContext appendCookieContext, DeleteCookieContext deleteCookieContext) +{ + if (appendCookieContext != null) + { + // Change the domain of all cookies + //appendCookieContext.CookieOptions.Domain = ".abp.io"; + + // Change the domain of the specific cookie + if (appendCookieContext.CookieName == ".AspNetCore.Culture") + { + appendCookieContext.CookieOptions.Domain = ".abp.io"; + } + } + + if (deleteCookieContext != null) + { + // Change the domain of all cookies + //appendCookieContext.CookieOptions.Domain = ".abp.io"; + + // Change the domain of the specific cookie + if (deleteCookieContext.CookieName == ".AspNetCore.Culture") + { + deleteCookieContext.CookieOptions.Domain = ".abp.io"; + } + } +} +``` + +Add the `app.UseCookiePolicy()` in the ASP.NET Core pipeline: + +```csharp +//... +app.UseStaticFiles(); +app.UseCookiePolicy(); +//... +``` + +If you check the HTTP response headers, you will see the `Set-Cookie` header with the `domain` attribute as follows: + +```http +Set-Cookie: .AspNetCore.Culture=c%3Den%7Cuic%3Den; expires=Mon, 09 Mar 2026 02:00:00 GMT; domain=.abp.io; path=/ +``` + +The subdomains can share the `.AspNetCore.Culture` cookie now. + +In another community article, we use the same middleware to [fix the Chrome login issue for the IdentityServer4](https://community.abp.io/posts/patch-for-chrome-login-issue-identityserver4-samesite-cookie-problem-weypwp3n) + +## Summary + +The `CookiePolicy` middleware provides a way to control cookies in an ASP.NET Core, It is very useful if you have more complex requirements for Cookies.