Bug 11652 - System.Net.CookieException: Invalid cookie domain is thrown if cookie does not have explicit domain
Summary: System.Net.CookieException: Invalid cookie domain is thrown if cookie does no...
Alias: None
Product: Class Libraries
Classification: Mono
Component: System ()
Version: 2.10.x
Hardware: All All
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
Depends on:
Reported: 2013-04-08 11:40 UTC by Ben
Modified: 2018-03-13 11:07 UTC (History)
12 users (show)

Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Ben 2013-04-08 11:40:23 UTC
I have an issue with
System.Net.CookieException: Invalid cookie domain
Using Mono 2.10.12 (mono-2-10/c9b270d)

I create HttWebRequest with AllowAutoRedirect=true (default value), the server responses with
302 and redirects to another subdomain which sets cookie. So original request
goes to domainA.company.com which redirects to domainB.company.com and cookies
have domain domainB.company.com

The code works fine on desktop .NET but mono throws System.Net.CookieException:
Invalid cookie domain.
Comment 1 Ben 2013-04-09 11:51:43 UTC
Turns out fails even without the redirect.
The cookies server responds with are:
Set-Cookie: MSPRequ=lt=1365519346&co=1&id=500046; path=/;version=1
Set-Cookie: MSPOK=$uuid-62c1e481-e5ba-4704-a392-1f49362250ed; path=/;version=1

This is where it fails System.Net.CookieContainer.cs

		void AddCookie (Cookie cookie)

			if ((cookie.Version == 1) && (cookie.Domain[0] != '.'))
				throw new CookieException ("Invalid cookie domain: " + cookie.Domain);

			if (cookie.HasDomain && !CheckPublicRoots (cookie.Domain))
				throw new CookieException ("Invalid cookie domain: " + cookie.Domain);

Any suggestions?
Comment 2 Ben 2013-04-09 12:00:56 UTC
Suggested fix is
if ((cookie.Version == 1) && cookie.HasDomain && (cookie.Domain[0] != '.'))
				throw new CookieException ("Invalid cookie domain: " + cookie.Domain);
Comment 3 Ben 2013-08-04 10:34:54 UTC
here is the code:
var request = (HttpWebRequest)WebRequest.Create(uri);
request.CookieContainer = new System.Net.CookieContainer();
request.Method = "GET";
request.UseDefaultCredentials = true;
request.UserAgent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)";

           var response = request.GetResponse();
        catch (WebException ex)
        {  // CookieException here }
this is HTTP traffic:

GET https://login.microsoftonline.com/login.srf?wa=wsignin1%2E0&rpsnv=2&ct=1375625757&rver=6%2E1%2E6206%2E0&wp=MBI&wreply=https%3A%2F%2Fhdrcloud%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&lc=1033&id=500046&guests=1 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: login.microsoftonline.com

server reply,
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 20412
Content-Type: text/html; charset=utf-8
Expires: Sun, 04 Aug 2013 14:15:00 GMT
Server: Microsoft-IIS/7.5
X-XSS-Protection: 0
Set-Cookie: MSPRequ=lt=1375625760&co=1&id=500046; path=/;version=1
Set-Cookie: MSPOK=$uuid-a5bdc46a-9263-4c25-a579-086ebe400b7b; path=/;version=1
X-Frame-Options: deny
PPServer: PPV: 30 H: CO1IDOLGN54 V: 0
Date: Sun, 04 Aug 2013 14:15:59 GMT
Connection: close

here is exception occurring only in mono

ex {System.Net.WebException: Invalid cookie domain: login.microsoftonline.com ---> System.Net.CookieException: Invalid cookie domain: login.microsoftonline.com at System.Net.CookieContainer.AddCookie (System.Net.Cookie cookie) [0x00000] in :0 at System.Net.CookieContainer.Add (System.Uri uri, System.Net.Cookie cookie) [0x00000] in :0 at System.Net.HttpWebResponse.SetCookie (System.String header) [0x00000] in :0 at System.Net.HttpWebResponse.FillCookies () [0x00000] in :0 at System.Net.HttpWebResponse..ctor (System.Uri uri, System.String method, System.Net.WebConnectionData data, System.Net.CookieContainer container) [0x00000] in :0 at (wrapper remoting-invoke-with-check) System.Net.HttpWebResponse:.ctor (System.Uri,string,System.Net.WebConnectionData,System.Net.CookieContainer) at System.Net.HttpWebRequest.SetResponseData (System.Net.WebConnectionData data) [0x00000] in :0 --- End of inner exception stack trace ---
Comment 4 aao 2013-08-16 22:39:32 UTC
The problem is the version . All cookies without version work fine. I removed version and my code started to work. I was manually setting cookie header in the previous version, never noticed it, this version xamarin team disabled that functionality for some reason, the only way to set the cookies is through that annoying collection.
Comment 5 Aaron Robertson-Hodder 2013-10-16 20:25:21 UTC
This has become a major issue for us at this point because it seems there has been a change in the cookie that is issue by SharePoint online (Office 365). This cookie now have a version of 1 and a domain of login.microsoftonline.com as Ben says above. Unless I am very much mistaken there is no way to work around this and therefore all authentication to SharePoint Online is now broken for Mono. 

While I understand that this cookie now violates the RFC in this regard, the fundamental purpose of Mono is to replicate the .Net Framework not to adhere to standards.

This issue is very critical to our business at this point and if there is anything that can be done we would really appreciate it. 


Comment 6 Ben 2013-10-23 16:11:41 UTC
This is fun how guys are selling commercial product and refuse to address a bug reported more than 6 months ago.
Comment 8 Adam Lepley 2014-01-28 09:26:57 UTC
I am having this same issue connecting to a cloud platform (Service-Now) using their auto generated REST API's. Same code works perfectly in a normal command line .NET 4.5 app. I verified and I am receiving cookies with version=1, but I don't have control over this. Hopefully this gets addressed soon. Data exchanges with our cloud platform is obviously critical functionally and our project is now at a standstill. I wish I would have discovered this before purchasing Xamarin.
Comment 10 Rodja Trappe 2014-07-20 09:05:06 UTC
It's really painful to see this bug still exists. I've worked around the issue by doing all the cookie handling myself:

# getting cookies from a request object
var response = (HttpWebResponse) request.GetResponse();
var cookieHeader = response.Headers["Set-Cookie"]

# adding cookies to new requests or in this example a WebClient
using (var client = new WebClient()) {
    client.Headers[HttpRequestHeader.ContentType] = "application/json";
    headers.Add("Cookie", cookieHeader);
    var response = client.DownloadString.... or similar stuff

What a mess.
Comment 11 Martin Baulig 2016-11-11 09:50:36 UTC
Does this problem still exist?
Comment 12 Marek Safar 2018-03-13 11:07:36 UTC
We have not received the requested information. If you are still experiencing this issue please provide all the requested information and reopen the bug report.

Thank you!