I have a Web API controller that authenticates a user and sets a cookie on the response:
// create the response
var response = this.Request.CreateResponse(HttpStatusCode.OK);
var cookie = new CookieHeaderValue(
FormsAuthentication.FormsCookieName,
user.GenerateEncryptedTicket(persistent)
);
var host = Request.RequestUri.Host;
// NOTE: this causes failure in Chrome if hosted locally (localhost)
// http://stackoverflow.com/a/5849409/99373
if (!host.Equals("localhost", StringComparison.OrdinalIgnoreCase))
{
// are we in a sub-domain
if (host.Split('.').Length > 2)
{
// set the domain as '.domain.com'
// NOTE: this does not work in chrome
cookie.Domain = host.Substring(host.LastIndexOf('.', host.LastIndexOf('.') - 1));
}
else
{
// set the domain as 'domain.com'
// NOTE: this does not work in chrome either
cookie.Domain = host;
}
}
cookie.Expires = DateTime.Now.Add(FormsAuthentication.Timeout);
cookie.Path = "/";
cookie.HttpOnly = true;
// mark the session as authenticated
response.Headers.AddCookies(new CookieHeaderValue[] { cookie });
Unfortunately, this works in IE and Firefox, but not in Chrome. If I comment out the part that sets the cookie.Domain altogether, then Chrome works.
Any ideas why?
