Unable to delete multiple same-key cookies when `Path` is different but `Domain` is specified

[robbiedhickey]

Describe the bug

When you attempt to delete multiple cookies that happen to share the same Key and Domain, but have different Path values, only the last cookie will be emitted as a Set-Cookie header in the response stream.

SameKey/NoDomain/DifferentPath works, but I happen to need the Domain for my use case.

As far as I can tell, this is because the rejectPredicate treats the Domain and Path as mutually exclusive. As a result, if the Domain is defined in the CookieOptions then the predicate will never take into account the presence of a Path.

aspnetcore/src/Http/Http/src/Internal/ResponseCookies.cs

Lines 110 to 121 in c925f99

	if (domainHasValue)
	{
	rejectPredicate = (value, encKeyPlusEquals, opts) =>
	value.StartsWith(encKeyPlusEquals, StringComparison.OrdinalIgnoreCase) &&
	value.IndexOf($"domain={opts.Domain}", StringComparison.OrdinalIgnoreCase) != -1;
	}
	else if (pathHasValue)
	{
	rejectPredicate = (value, encKeyPlusEquals, opts) =>
	value.StartsWith(encKeyPlusEquals, StringComparison.OrdinalIgnoreCase) &&
	value.IndexOf($"path={opts.Path}", StringComparison.OrdinalIgnoreCase) != -1;
	}

FWIW, this issue does not appear in full .NET Framework. My organization has a few legacy .NET applications that support this requirement.

To Reproduce

This is a simple api repro with a single /cookies endpoint that demos deleting cookies with SameKey/SameDomain/DifferentPath as well as SameKey/NoDomain/DifferentPath to illustrate.

https://github.com/robbiedhickey/repro-unexpected-cookie-deletion-behavior

Exceptions (if any)

N/A

Further technical details

dotnet --info

 .NET SDK (reflecting any global.json):
 Version:   5.0.102
 Commit:    71365b4d42

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\5.0.102\

Host (useful for support):
  Version: 5.0.2
  Commit:  cb5f173b96

.NET SDKs installed:
  2.1.802 [C:\Program Files\dotnet\sdk]
  2.2.402 [C:\Program Files\dotnet\sdk]
  3.0.100 [C:\Program Files\dotnet\sdk]
  5.0.102 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

VS 2019 Version 16.8.4

[BrennanConroy]

cc @Tratcher from my limited understanding of cookie behavior this seems like a bug.

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[wcontayon]

Hi @BrennanConroy, I'm studying the AspNetCore source code, and this issue seems interesting to submit a PR.

[BrennanConroy]

Sounds great! Personally I would start off by writing a test that fails because of this bug, likely in

aspnetcore/src/Http/Http/test/ResponseCookiesTest.cs

Line 61 in c925f99

public void DeleteCookieShouldSetDefaultPath()

Then make the fix and make sure it passes 😃

[wcontayon]

Sounds great! Personally I would start off by writing a test that fails because of this bug, likely in

aspnetcore/src/Http/Http/test/ResponseCookiesTest.cs

Line 61 in c925f99

public void DeleteCookieShouldSetDefaultPath()

Then make the fix and make sure it passes 😃

Thanks @BrennanConroy for your insights. I'll submit a PR.

[BrennanConroy]

Fixed via #32897