Set data protection application discriminators

This prevents cookie confusion when applications are hosted at the same domain and path. For example, under default settings, WebMVC may attempt to decrypt Identity's antiforgery cookie rather than its own.
2017-03-15 08:57:01 -07:00 · 2017-03-15 08:57:01 -07:00 · c10fea7b48
commit c10fea7b48
parent 608c4c512a
3 changed files with 15 additions and 0 deletions
--- a/src/Services/Identity/Identity.API/Startup.cs
+++ b/src/Services/Identity/Identity.API/Startup.cs
@ -57,6 +57,11 @@ namespace eShopOnContainers.Identity

            services.Configure<AppSettings>(Configuration);

+            services.AddDataProtection(opts =>
+            {
+                opts.ApplicationDiscriminator = "eshop.identity";
+            });
+
            services.AddMvc();

            services.AddHealthChecks(checks =>
--- a/src/Web/WebMVC/Startup.cs
+++ b/src/Web/WebMVC/Startup.cs
@ -43,6 +43,11 @@ namespace Microsoft.eShopOnContainers.WebMVC
        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
+            services.AddDataProtection(opts =>
+            {
+                opts.ApplicationDiscriminator = "eshop.webmvc";
+            });
+
            services.AddMvc();
            services.Configure<AppSettings>(Configuration);

--- a/src/Web/WebSPA/Startup.cs
+++ b/src/Web/WebSPA/Startup.cs
@ -47,6 +47,11 @@ namespace eShopConContainers.WebSPA

            services.Configure<AppSettings>(Configuration);

+            services.AddDataProtection(opts =>
+            {
+                opts.ApplicationDiscriminator = "eshop.webspa";
+            });
+
            services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");

            services.AddMvc()