I’m encountering an issue related to cookies in my .NET Core website. The problem occurs specifically when using the Stripe payment gateway. Here’s the scenario:
My website consists of two projects: a client project and an API project. These projects are deployed on different servers:
Client URL: https://maindomain.com/
API URL: https://backendapis.maindomain.com/api/
The issue arises when a client attempts to make a payment using Stripe. Regardless of whether the payment is successful or canceled, the client gets logged out.
Upon investigating, I noticed that the cookies behave unexpectedly after this operation. Specifically, I receive the error message: “This cookie was blocked because neither did the request URL’s domain exactly match the cookie’s domain, nor was the request URL’s domain a subdomain of the cookie’s Domain attribute value.”
here is what happen to the cookies after redirection from stripe
Here’s how I’ve configured cookies for the client:
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.Lax;
options.Secure = CookieSecurePolicy.Always;
});
#region "Session init"
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.Cookie.Name = ".AspNetCore.Session.khaled.Client";
options.IdleTimeout = TimeSpan.FromDays(150);
options.Cookie.IsEssential = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
#endregion "Session init"
///////////////////////////// and this is the pipline :
app.UseAuthentication();
app.UseSession();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
As for the API, there is no CORS configuration explicitly set. However, I assume it allows requests from all origins by default since I can call some APIs that has no authentication directly from the browser.
app.UseHttpStatusCodeExceptionMiddleware();
app.UseHttpsRedirection();
app.UseRouting();
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
Any insights on why the cookies are behaving this way, especially in the context of Stripe payments? Is there something I’m missing in my configuration?
I found it, the problem was in the return URL that we configured in stripe
the return URL of success was https://maindomain.com/Payment/Success and
the return URL of cancel was https://maindomain.com/Payment/Cancel
so when the users log in with the domain https://www.maindomain.com/ they would be logged out because the domain with ‘www’ is different from the domain without ‘www’ and as you can see the return URL is non ‘www’ version.