Accessing HttpOnly cookies across multiple domain with URL redirection

Question

I have an ASP.Net MCV website (.net 4.6) (https://site.aa.main.com) and we have built a redirection to an Angular SAP (https://spa.aa.new.main.com). We also have a standalone API (.net core 3.1)(https://api.aa.new.main.com:5001) to serve requests from the SPA.

Here I need to set a cookie in site 1 before the redirection, then I can use that cookie in the API.

I have the below code in site 1 to set this cookie,

HttpCookie payidCookie = new HttpCookie("myKey", "myValue")
{
     Secure = true,
     HttpOnly = true,             
     Domain = ".new.main.com",
};

this.Response.Cookies.Add(payidCookie);

Then I have the below code to consume the cookie in the API,

if (Request.Cookies["myKey"] != null)
{
    var value = Request.Cookies["myKey"];
}

But the cookie is not available in the API. Request.Cookies["myKey"] return null.

Does anyone know why I cannot see the cookie in the API and how to fix this issue?

Thanks.

Answer 1

This case is explicitly covered in specification, site.aa.main.com cannot set cookies for new.main.com:

The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

You would either have to set cookie for main.com or figure out other naming setup that would have common subdomain for all involved hosts.