How to share the cookies between subdomains

Introduction

Sharing cookies between subdomains is a common requirement in web development. For example, you have a website with multiple subdomains, and you want to share the login status between these subdomains. Once a user logs in to one subdomain, the user should be logged in to all subdomains.

This article will show you how to achieve this in an ASP.NET Core application.

Implementation principle

The cookie has a Domain attribute which specifies which server can receive a cookie.
If specified, then cookies are available on the server and its subdomains. For example, if you set Domain=.abp.io, cookies are available on abp.io and its subdomains like community.abp.io.

If the server does not specify a Domain, the cookies are available on the server but not on its subdomains. Therefore, specifying the Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.

There is a CookiePolicyMiddleware in ASP.NET Core, you can add some policies to the CookiePolicyOptions during cookies are appended or deleted.

We will add a policy to the CookiePolicyOptions to change the domain of the cookie:

services.Configure<CookiePolicyOptions>(options =>
{
    options.OnAppendCookie = cookieContext =>
    {
        ChangeCookieDomain(cookieContext, null);
    };

    options.OnDeleteCookie = cookieContext =>
    {
        ChangeCookieDomain(null, cookieContext);
    };
});

private static void ChangeCookieDomain(AppendCookieContext appendCookieContext, DeleteCookieContext deleteCookieContext)
{
    if (appendCookieContext != null)
    {
        // Change the domain of all cookies
        //appendCookieContext.CookieOptions.Domain = ".abp.io";

        // Change the domain of the specific cookie
        if (appendCookieContext.CookieName == ".AspNetCore.Culture")
        {
            appendCookieContext.CookieOptions.Domain = ".abp.io";
        }
    }

    if (deleteCookieContext != null)
    { 
        // Change the domain of all cookies
        //appendCookieContext.CookieOptions.Domain = ".abp.io";

        // Change the domain of the specific cookie
        if (deleteCookieContext.CookieName == ".AspNetCore.Culture")
        {
            deleteCookieContext.CookieOptions.Domain = ".abp.io";
        }
    }
}

Add the app.UseCookiePolicy() in the ASP.NET Core pipeline:

//...
app.UseStaticFiles();
app.UseCookiePolicy();
//...

If you check the HTTP response headers, you will see the Set-Cookie header with the domain attribute as follows:

Set-Cookie: .AspNetCore.Culture=c%3Den%7Cuic%3Den; expires=Mon, 09 Mar 2026 02:00:00 GMT; domain=.abp.io; path=/

The subdomains can share the .AspNetCore.Culture cookie now.

In another community article, we use the same middleware to fix the Chrome login issue for the IdentityServer4

Summary

The CookiePolicy middleware provides a way to control cookies in an ASP.NET Core, It is very useful if you have more complex requirements for Cookies.