From 68c3ebaf4623b5af677708758b3ec3010eca7a1d Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Wed, 15 Mar 2017 08:57:01 -0700 Subject: [PATCH] Set data protection application discriminators This prevents cookie confusion when applications are hosted at the same domain and path. For example, under default settings, WebMVC may attempt to decrypt Identity's antiforgery cookie rather than its own. --- src/Services/Identity/Identity.API/Startup.cs | 5 +++++ src/Web/WebMVC/Startup.cs | 5 +++++ src/Web/WebSPA/Startup.cs | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/src/Services/Identity/Identity.API/Startup.cs b/src/Services/Identity/Identity.API/Startup.cs index d29459395..81c26eb16 100644 --- a/src/Services/Identity/Identity.API/Startup.cs +++ b/src/Services/Identity/Identity.API/Startup.cs @@ -54,6 +54,11 @@ namespace eShopOnContainers.Identity services.Configure(Configuration); + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.identity"; + }); + services.AddMvc(); services.AddTransient(); diff --git a/src/Web/WebMVC/Startup.cs b/src/Web/WebMVC/Startup.cs index 8bd7708d3..defcf31dd 100644 --- a/src/Web/WebMVC/Startup.cs +++ b/src/Web/WebMVC/Startup.cs @@ -41,6 +41,11 @@ namespace Microsoft.eShopOnContainers.WebMVC // This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.webmvc"; + }); + services.AddMvc(); services.Configure(Configuration); diff --git a/src/Web/WebSPA/Startup.cs b/src/Web/WebSPA/Startup.cs index a0f33d8b3..1386849f7 100644 --- a/src/Web/WebSPA/Startup.cs +++ b/src/Web/WebSPA/Startup.cs @@ -41,6 +41,11 @@ namespace eShopConContainers.WebSPA { services.Configure(Configuration); + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.webspa"; + }); + services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); services.AddMvc()