Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
531 views
in Technique[技术] by (71.8m points)

asp.net mvc - Chrome34 ignores cookies with domain ".cloudapp.net"

After a lot of debugging from our dev/test environments hosted as web roles in Azure, that suddenly stopped working with Chrome 34, we realize that Chrome was ignoring the set-cookie response that has cookies with domain name ".cloudapp.net" (the default public Microsoft domain for cloud services in Azure). The reason we choose this name was to be able to generate CORS requests among different cloud services that needed secure requests from the same javascript App. This means getting an authentication cookie from a MVC site like http://example.cloudapp.net and calling secure WebApi REST services in another web role like http://exampleServices.cloudapp.net (only works with cookies with the same domain name)

The following is an example of the authentication response from the cloud service that generates the authentication cookie:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin:http://example.cloudapp.net
Cache-Control:private
Content-Length:31
Content-Type:application/json; charset=utf-8
Date:Fri, 11 Apr 2014 20:21:20 GMT
Server:Microsoft-IIS/8.0
Set-Cookie:.COOKIENAME=XXXXXXXXXXXXXXXXXXXX; domain=.cloudapp.net; path=/; HttpOnly

The problem we are facing is that the cookie is discarted in Chrome34 with this domain name, so any other request is not authenticated. We can buy a public domain and setup our cloud services in azure, but I'd like to know if there is any work around to this problem.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

This is probably because browsers like Chrome use the Public Suffix List(https://publicsuffix.org/list/effective_tld_names.dat) to restrict certain cookies. If the domain suffix set on the cookie is shared publicly then the browser may block such a cookie in order to prevent itself from sending "unauthorized" data to other servers running on the same domain. Note that cloudapp.net domain is there in the Public Suffix list.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...