From c10fea7b48c95099dfa10e673cf1e91b045576d4 Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Wed, 15 Mar 2017 08:57:01 -0700 Subject: [PATCH] Set data protection application discriminators This prevents cookie confusion when applications are hosted at the same domain and path. For example, under default settings, WebMVC may attempt to decrypt Identity's antiforgery cookie rather than its own. --- src/Services/Identity/Identity.API/Startup.cs | 5 +++++ src/Web/WebMVC/Startup.cs | 5 +++++ src/Web/WebSPA/Startup.cs | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/src/Services/Identity/Identity.API/Startup.cs b/src/Services/Identity/Identity.API/Startup.cs index a58b5a6d9..94d11a818 100644 --- a/src/Services/Identity/Identity.API/Startup.cs +++ b/src/Services/Identity/Identity.API/Startup.cs @@ -57,6 +57,11 @@ namespace eShopOnContainers.Identity services.Configure(Configuration); + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.identity"; + }); + services.AddMvc(); services.AddHealthChecks(checks => diff --git a/src/Web/WebMVC/Startup.cs b/src/Web/WebMVC/Startup.cs index aaba855d0..fd3d44893 100644 --- a/src/Web/WebMVC/Startup.cs +++ b/src/Web/WebMVC/Startup.cs @@ -43,6 +43,11 @@ namespace Microsoft.eShopOnContainers.WebMVC // This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.webmvc"; + }); + services.AddMvc(); services.Configure(Configuration); diff --git a/src/Web/WebSPA/Startup.cs b/src/Web/WebSPA/Startup.cs index 163ccca04..17a1bf976 100644 --- a/src/Web/WebSPA/Startup.cs +++ b/src/Web/WebSPA/Startup.cs @@ -47,6 +47,11 @@ namespace eShopConContainers.WebSPA services.Configure(Configuration); + services.AddDataProtection(opts => + { + opts.ApplicationDiscriminator = "eshop.webspa"; + }); + services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); services.AddMvc()