c# - ASP.NET Core Sharing Identity Cookie across azure web apps on default domain (*.azurewebsites.net)

Question

Having trouble sharing an Identity Cookie (using ASP.NET Core v2) across multiple web applications

On my development environment, cookies are shared automatically (as it's localhost) - and that works fine!

When dealing with MS Azure, I've tried to set the cookie domain to .azurewebsites.net - to allow two web apps (e.g. app1.azurewebsites.net and app2.azurewebsites.net) to share a cookie.

Using the cookie configuration (abbreviated) like so:

public IServiceProvider ConfigureServices(IServiceCollection services)
{
    services.ConfigureApplicationCookie(options =>
    {
         options.Cookie.Domain = ".azurewebsites.net";
    }
}

However, when I deploy the main site (the one that generates cookies from logins) to Azure, I can't even login. The .AspNetCore.Application.Identity cookie doesn't even get returned after entering username/password (or social logins)

I've also tried the solution here: https://stackoverflow.com/a/44310683/1025394 With no success

Question is: Is there possibly any filtering going on the Azure side of things? Stopping me from setting a cookie for .azurewebsites.net? Maybe for Security purposes?

Answer 1

However, when I deploy the main site (the one that generates cookies from logins) to Azure, I can't even login. The .AspNetCore.Application.Identity cookie doesn't even get returned after entering username/password (or social logins)

I searched the web and found that some domain names do not allowed to create cookies for security concerns. Domains for Azure Cloud are listed as follows:

azurewebsites.net
azure-mobile.net
cloudapp.net

Detailed list of domains you could find here.

Moreover, if you want to share cookie among your multiple web apps, you could map custom domain name for your web apps (e.g. app1.yourwebsite.com, app2.yourwebsite.com) and set options.Cookie.Domain to .yourwebsite.com, details about mapping a custom domain you could follow here. Also, you need to configure data protection to use the same encryption keys for your multiple web apps. In addition, you could follow this similar issue.