ASP.NET Mvc Api: Set cookie then 302/303 Redirect loses the cookie

Question

I have an API action that returns a HttpResponseMessage. API address is like: http://localhost/login?authcode=xxx

The API action does some login authentication and r

Answer 1

I found the answer. The scope is not set. In my original code the following line is missing.

cookie.Path = "/";

Because redirecting to another page, even if under the same domain, the cookie is not valid across different pages. If path is not set, then the cookie is only valid with the original request targeting http://localhost/login?authcode=xxx

Today I learnt that I need to carefully examine the domain and the path attribute of the cookie before claiming that somebody ate it.

Answer 2

My cookies have added Path, but the problem still not resolve.

After a long time, I finally resolve this problem by remove session state config in web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <!--<sessionState cookieless="false" timeout="30" mode="StateServer" stateConnectionString="tcpip=localhost:42424" />-->
  </system.web>
</configuration>

I can add set-cookie header after comments <sessionState>.

I hope this helps you, thanks.