Last post Sep 09, 2015 02:21 PM by user1452716
May 28, 2014 01:18 PM|user1452716|LINK
We're using ASP.NET Identity but have make a very small extension to the cookie authenticator to enable sub-domain authentication i.e. we set the auth cookie to bear a hostname like
.domain.com (note the preceding dot) instead of domain.com or
my.domain.com. We do it so the user is authenticated the domain and all subdomains hosted by that single ASP.NET MVC 5 app.
On the very FIRST attempt after app cold start, the cookie STILL bears the domain
my.domain.com (our logins are on my.domain.com) DESPITE setting it to
after executing the SubdomainCookieAuthentication code below. We've confirmed that even on the 1st cold boot the code indeed sets the right domain in the cookie (stepped via breakpoints in code below) but the cookie that reaches the client
doesnt have it. On 2nd and subsequent attempts, the cookie hostname logic works just fine.
How can I fix this so it works even on the first attempt? The code below is super simple leading us to believe the bug might be within ASP.NET Identity itself but we couldn't find a way to alert the ASp.NET Identity team about this.
Custom cookie auth
public class SubdomainCookieAuthentication : CookieAuthenticationProvider
public override void ResponseSignIn(CookieResponseSignInContext context)
// We need to add a "." in front of the domain name to
// allow the cookie to be used on all sub-domains too
var hostname = context.Request.Uri.Host;
// works for www.google.com => .google.com
// will FAIL for www.google.co.uk (gives .co.uk) but doesn't apply to us
var dotTrimmedHostname = Regex.Replace(hostname, @"^.*(\.\S+\.\S+)", "$1");
context.Options.CookieDomain = dotTrimmedHostname;
This is initialized inside the Owin startup class as follows
public void ConfigureAuth(IAppBuilder app)
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new SubdomainCookieAuthentication()
May 29, 2014 01:20 PM|user1452716|LINK
Is this the right forum for this?
Jun 02, 2014 09:51 PM|Ericzh|LINK
Hope below links help:
Jun 05, 2014 08:29 PM|user1452716|LINK
Which specific part are you refererring to? Because the links are very general, sorta like 1st order google results. In fact if you look close, our code is very similar to the proposed solution.
Sep 07, 2015 09:05 AM|austingrigg|LINK
Did you ever figure out a solution to this? This is exactly what I was looking for to dynamically set the cookie domain, but I am seeing the same thing where it doesn't work on the first attempt.
Sep 09, 2015 02:21 PM|user1452716|LINK
No, because we moved away from cookie authentication to OAuth token authentication.
There is some extra information on