cross domain cookies in azure development with ACS authentication
Asked Answered
S

1

6

Hi I am developing two web services on Azure, saying "domain1.azurewebsite.net" and "domain2.azurewebsite.net". I have implemented the ACS authentication in both services under the same Active Directory. Now I need to log in through domain1.azurewebsite.net and share the cookie (which contains the auth token) with domain2.azurewebsite.net, so that I can access the data service of domain2 in domain1.

I have followed the suggestions online, which sets the cookie domain=".azurewebsite.net". I am expecting such cookie to be shared by all the sub domains, i.e., "*.azurewebsite.net", so that the cross domain purpose can be achieved. The setting is done in the web.config as follows

<system.identityModel.services>
 <federationConfiguration>
  <cookieHandler requireSsl="false"
                 domain=".azurewebsites.net"
                 hideFromScript="false"
                 persistentSessionLifetime="0:30:0" />
  <wsFederation passiveRedirectEnabled="true"
            issuer="https://focusns.accesscontrol.windows.net/v2/wsfederation" 
                realm="urn:Focusns" 
                requireHttps="false"
                persistentCookiesOnPassiveRedirects="true" />
 </federationConfiguration>
</system.identityModel.services>

To enable the cross domain request, I used CORS and I have correctly set the response headers from "domain2.azurewebsite.net" as follows:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://domain1.azurewebsites.net

However, my problem is that the cookie with ".azurewebsite.net" domain is not attached when log into domain1.azurewebsite.net. I cannot even see them when I inspect the cookies, when I am using Chrome, Opera, FF. But I do see the cookies in IE11, in which everything is working fine. I found the difference among different browsers in the link browser security handbook part 2, and I suspect the reason is IE doesn't support host-scope cookie.

Anyway, does anybody know how I can address the problem? I need it work in Chrome, FF, etc. Thanks in advance

Spence answered 21/7, 2014 at 19:52 Comment(0)
B
7

As per this issue Chrome34 ignores cookies with domain ".cloudapp.net",

  • Chrome
  • FireFox
  • (maybe other browsers)

refuse to set cookies for public, shared domain suffixes (listed here: https://publicsuffix.org/list/effective_tld_names.dat). And "azurewebsites.net" is one of them.

IE does not have this restriction, maybe because MS owns both.

The solution is probably to map the sites to a custom domain/subdomain names you own. You can not set chained subdomains in Azure, like "a.b.azurewebsites.net". If you could you could set the cookie for "b.azurewebsites.net", Chrome allows that.

Bohn answered 15/5, 2015 at 0:39 Comment(1)
Seeing this ban-list really solved my problem. I didn't know such a list of prohibited cookie-domains existed.Buchan

© 2022 - 2024 — McMap. All rights reserved.