Cookie usage in multisite

Cookies are set per domain/subdomain. It's a "security thing". If you don't define a domain or subdomain, it will automatically use the domain you're currently on when creating that cookie. Sharing/reading/writing cookies from one domain to another isn't good practice or really possible.

Thanks for the quick reply, Brendan. You have been very helpful in other posts I have read. Our setup shares a code base. I am setting the cookie like so, but have tried altering the SetValue parameters to no avail: CookieHelper.SetValue("CookieName", myObject.Email, DateTime.Now.AddDays(1), "/", true, URLHelper.GetDomain(URLHelper.GetApplicationUrl()), CMS.Base.SameSiteMode.None, true);

Glad to help out.

Like I stated, you can't create a cookie on one site and expect it to be read on another site, it's not possible. You may have to do some other work to handle this.

How would I go about having the codebase create a new cookie based on the site that is utilizing that code? That is what I thought my code would do...

I want to create a new cookie for each site whenever this controller action is hit. My logging shows no issues in the application output or when I log to the event log, and I see no errors. There is something going on here that I don't see just yet. This controller works for all of the sites and this is the only thing that isn't working.

It respects your current cookie level, so you can check that and the default cookie level set for the site in Settings > System > Cookies. The ICurrentCookieLevelProvider allows you to set the cookie level to All beforehand and see if that makes a difference. Ultimately, the CookieHelper is just a wrapper around the HttpContext.Response.Cookies.

Some of you are misunderstanding. I want to set a new cookie for each domain. Let's proceed from this point.

Then you need to check out output of your cookie definition. The syntax you pasted is not correct, it's missing some ) in it. Secondly, you may want to output your values to see what is being returned. URLHelper.GetApplicationUrl() needs an string input parameter and returns the domain. However you don't have a string input parameter defined. You might want to try the following:

CookieHelper.SetValue("CookieName", "CookieValue", "/yourpath-or-root", DateTime.Now.AddDays(1), true, "." + URLHelper.GetDomain(RequestContext.CurrentDomain))

Setting the domain to something like .domain.com will allow all subdomains to access that cookie as well vs using something like domain.com which will only allow that given domain and no subdomains to access it.

Setting your domain properly should get you what you're looking for.

Thank you for pointing out my typo from above - I have corrected that as it is correct in my code. Each of our sites has its own domain and are not subdomains. I am output the values in the application output and event log and none of the values appear to be the issue. Thank you for your response.

As I stated before, when you create a cookie, they are created for a given domain. So if you are creating a cookie on domain1.com and expecting when you navigate to domain2.com to see domain1.com cookies, you won't.

If you're looking for a more specific answer, you'll have to provide more specific details, how you're testing and values.

Brendan, we have a multisite installation. All nine sites share the same codebase. We want the code to create a cookie for domain1 when domain1 hits the controller action and only domain1 can access this cookie. We want domain2 to create a cookie for domain2 when domain2 hits the controller action and only domain2 can access this cookie. So on and so forth for all nine sites. This is why this is a conundrum to me. Only domain1 is creating the cookie. None of the other eight sites create a cookie with the same codebase. Please let me know what other detail I can provide if the issue is not clear at this point.

As I stated above, use a different method to get your domain. You're currently using

URLHelper.GetDomain(URLHelper.GetApplicationUrl())

Maybe use something like

URLHelper.GetDomain(RequestContext.CurrentDomain)

or

URLHelper.GetDomain(SiteContext.CurrentSite.SitePresentationURL)

My guess is you're not getting the proper domain and it's not setting the cookie properly.

Through my logging to the event log, it appears as though the domain portion is fine. Here is the code for that:

  IEventLogService eventLog = Service.Resolve<IEventLogService>();
  eventLog.LogInformation("Cookie testing", "COOKIETEST", eventDescription: $"{domain}, {contact.Email}", siteService.CurrentSite.SiteID);

I can try your suggested methods of getting the domain, but that does not appear to be the issue. Perhaps it has something to do with Azure?

Your code example isn't showing me anything except you're logging an event log. Where do you define the domain variable? And have you tested it across ALL sites? Try logging all 3 examples above and see if the results are the same with all three in multiple sites.

Brendan, the correct url is being logged for each site with the above event log code. I am in the process of logging your examples and will let you know what I find momentarily.

For your examples, while running in debug mode, the first one logged an empty string to the application output and the second example logged the domain. I am going to try your second example for getting the domain in my code in my staging environment and will report back with the results.

Unfortunately, there is no change when inspecting the cookies within the Application tab of the developer tools in the staging environment. It is creating and updating the cookie for our main domain, but it is not setting one for any other domain. I appreciate your suggestions nonetheless.

You don’t have to specify the domain. By default, the cookie is set for the current domain you’re visiting. We do something similar, with this statement in a shared controller:

CookieHelper.SetValue("CookieName", "CookieValue", DateTime.Now.AddDays(90));

If it doesn’t set a cookie when visiting another site, check your site’s cookie settings and that the HttpContext is what you expect.

Well, I feel like an idiot. Marcel, you were correct on the Settings side. I thought everything was inheriting from global settings which is set to All, but it turns out the other eight sites in Settings > System > Cookies were set to Essential. Thanks everyone for your help, and I hope this thread helps others in the future.