Search code examples
asp.net-mvcasp.net-web-apicorsstripe-paymentssession-cookies

Cookie Blocking Issue

I’m encountering an issue related to cookies in my .NET Core website. The problem occurs specifically when using the Stripe payment gateway. Here’s the scenario:

My website consists of two projects: a client project and an API project. These projects are deployed on different servers:

Client URL: https://maindomain.com/

API URL: https://backendapis.maindomain.com/api/

The issue arises when a client attempts to make a payment using Stripe. Regardless of whether the payment is successful or canceled, the client gets logged out.

Upon investigating, I noticed that the cookies behave unexpectedly after this operation. Specifically, I receive the error message: “This cookie was blocked because neither did the request URL’s domain exactly match the cookie’s domain, nor was the request URL’s domain a subdomain of the cookie’s Domain attribute value.”

here is what happen to the cookies after redirection from stripe

enter image description here

Here’s how I’ve configured cookies for the client:

    services.Configure<CookiePolicyOptions>(options =>
      {
          options.CheckConsentNeeded = context => false;
          options.MinimumSameSitePolicy = SameSiteMode.Lax;
          options.Secure = CookieSecurePolicy.Always;
      });


 #region "Session init"
 services.AddDistributedMemoryCache();
 services.AddSession(options =>
 {
     options.Cookie.Name = ".AspNetCore.Session.khaled.Client";
     options.IdleTimeout = TimeSpan.FromDays(150);
     options.Cookie.IsEssential = true;
     options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
 });
 #endregion "Session init"
///////////////////////////// and this is the pipline :

        app.UseAuthentication();
        app.UseSession();

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();
        app.UseCookiePolicy();
      
        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });

As for the API, there is no CORS configuration explicitly set. However, I assume it allows requests from all origins by default since I can call some APIs that has no authentication directly from the browser.

 app.UseHttpStatusCodeExceptionMiddleware();
 app.UseHttpsRedirection();
 app.UseRouting();
 app.UseStaticFiles();
 app.UseAuthentication();
 app.UseAuthorization();

 app.UseEndpoints(endpoints =>
 {
     endpoints.MapControllers();
 });

Any insights on why the cookies are behaving this way, especially in the context of Stripe payments? Is there something I’m missing in my configuration?

Solution

  • I found it, the problem was in the return URL that we configured in stripe

    the return URL of success was https://maindomain.com/Payment/Success and

    the return URL of cancel was https://maindomain.com/Payment/Cancel

    so when the users log in with the domain https://www.maindomain.com/ they would be logged out because the domain with ‘www’ is different from the domain without ‘www’ and as you can see the return URL is non ‘www’ version.