AddSession Sets wrong Cookie Path

[Coder3333]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

SessionServiceCollectionExtensions.AddSession creates a cookie with the Path of "/", ignoring the path base of the web application. This is further complicated in that AddSession does not provide a way to access the HttpContext, so my code cannot easily set the cookie path to the desired value.

Documents cookie behavior of AddSession:
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-7.0#session-options

Documents the problem:
https://stackoverflow.com/q/54362266/4194514

Expected Behavior

The cookie created by SessionServiceCollectionExtensions.AddSession should use the path base of the web application, similarly to how antiforgery token does.

Steps To Reproduce

Give your web application a path base and use SessionServiceCollectionExtensions.AddSession to add session to the website, but do not specify a path of the session cookie. You will see in code that the path of the cookie is set by the framework to "/", which I believe comes from SessionDefaults.CookiePath.

Exceptions (if any)

No response

.NET Version

No response

Anything else?

I see 3 different ways to fix this issue.

1. Automatically set the cookie Path to the application's PathBase, instead of SessionDefaults.CookiePath.
2. Change the value of SessionDefaults.CookiePath from "/" to the application's path base.
3. Add an additional signature to SessionServiceCollectionExtensions.AddSession that accepts the http context, so my custom code can determine the PathBase and set it as the cookie path.

[Tratcher]

Here is what Antiforgery does:

aspnetcore/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenStore.cs

Lines 79 to 99 in 4afe7f6

	public void SaveCookieToken(HttpContext httpContext, string token)
	{
	Debug.Assert(httpContext != null);
	Debug.Assert(token != null);
	var options = _options.Cookie.Build(httpContext);
	if (_options.Cookie.Path != null)
	{
	options.Path = _options.Cookie.Path;
	}
	else
	{
	var pathBase = httpContext.Request.PathBase.ToString();
	if (!string.IsNullOrEmpty(pathBase))
	{
	options.Path = pathBase;
	}
	}
	httpContext.Response.Cookies.Append(_options.Cookie.Name!, token, options);

Changing the default for Session would be breaking. Note we also use / for auth. I'm not sure why Antiforgery does something different.

edit nevermind, auth also uses path base by default.

aspnetcore/src/Security/Authentication/Core/src/RequestPathBaseCookieBuilder.cs

Lines 22 to 38 in 4afe7f6

	public override CookieOptions Build(HttpContext context, DateTimeOffset expiresFrom)
	{
	// check if the user has overridden the default value of path. If so, use that instead of our default value.
	var path = Path;
	if (path == null)
	{
	var originalPathBase = context.Features.Get<IAuthenticationFeature>()?.OriginalPathBase ?? context.Request.PathBase;
	path = originalPathBase + AdditionalPath;
	}
	var options = base.Build(context, expiresFrom);
	options.Path = !string.IsNullOrEmpty(path)
	? path
	: "/";
	return options;

[Coder3333]

@Tratcher , I haven't tracked down the Microsoft source code, yet, but in my application AddAuthentication and AddAntiforgery are creating their cookies with the proper path base, even though I am not doing anything to control that value. So far, AddSession is the only one of these that is creating the cookie at "/".

[ahaeber]

/azp run

[wessleym]

I also would appreciate if AddSession acted in the same way as AddAuthentication and AddAntiforgery. Thank you.