Is there a way to have the Identity Library cookies be tied to the root domain?

[DavidThielen]

Hi all;

I have a Blazor Interactive Server app that uses the ASP.NET Identity Library for Authentication & Authorization.

I have the app set up where you normally connect to it using connect.tradewindsstudios.us. However, it is an app showing events for political campaigns so I also allow connecting using MyCampaign.tradewindsstudios.us where the MyCampaign is a unique Id for a given campaign. It then only shows events for that campaign.

The problem is, if a user is logged in to connect.tradewindsstudios.us, they have to log in again to MyCampaign.tradewindsstudios.us. Is there a way to tell the Identity Library to tie the cookie identifying the logged in user to tradewindsstudios.us?

thanks - dave

[josephdecock]

There's a security risk that you should be aware of, which is that if you set the cookie domain to be the parent domain, browsers will send the cookies to ALL subdomains. The risk is that if some other subdomain is hacked, browsers will send session cookies to the attacker - imagine if you're running app1.example.com and app2.example.com, but there's also crappy-word-press-site.example.com that was set up by some marketing team 7 years ago, forgotten about, has never received any security patches and is now taken over by an attacker. Now if a user is logged on and goes to the vulnerable site, their session cookie will be disclosed to the attacker.

A better solution is to use a protocol that is designed for single sign on, like open id connect.

That said, you CAN control all the cookie attributes like this:

services.ConfigureApplicationCookie(options =>
{
    options.Cookie.Domain = "explicit domain here"; // somewhat dangerous
});

[DavidThielen]

Hi;

First off thanks for both the answer and the warning. The only use of the base domain is this app, my website (using WebFlow), and the documentation (using GitHub pages). And I am the sole tech resource for all this so no worries about someone else dropping something there. So a couple of questions:

1. Should I move the ap to a different base domain so it doesn't share with the website & docs?
2. If it is just this website, practically speaking, am I any worse off using this if it's only my app, but with all these subdomains?

Also, I don't know if you're one of the contributors to the Identity Library, but if you are, I think it's a really well designed tight solution. So thank you.

thanks - dave

[josephdecock]

No, I haven't worked directly on
aspnet Identity, but I've contributed to the OIDC handler, and work on IdentityServer and some open source OAuth and OIDC client libraries.

My general approach to security is to think in terms of understanding risk and your tolerance of it. So, if you understand the implications of a shared cookie (https://developer.mozilla.org/en-US/docs/Web/Security/Subdomain_takeovers), you can make a decision that makes sense, also taking into account the consequences of an attack/the sensitivity of the resources that you're handling.