From 745c66fd4d9599dec04a22293ccd2a4f830edadc Mon Sep 17 00:00:00 2001
From: idotta <dotta.iuri@gmail.com>
Date: Fri, 2 Jan 2026 22:55:17 -0300
Subject: [PATCH 1/2] Implement per-tenant cookie isolation for authentication

---
 .../Extensions/ServiceCollectionExtensions.cs          | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
index c1fcf49..0791495 100644
--- a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
@@ -210,6 +210,15 @@ private static void ConfigureMultiTenant(IServiceCollection services, IdmtOption
 
         // Enable per-tenant authentication - critical for proper multi-tenant isolation
         builder.WithPerTenantAuthentication();
+
+
+        // Isolate Cookies per Tenant
+        builder.Services.ConfigurePerTenant<CookieAuthenticationOptions, IdmtTenantInfo>(
+            IdentityConstants.ApplicationScheme, (options, tenantInfo) =>
+            {
+                // Prevents Tenant A's tab from overwriting Tenant B's session
+                options.Cookie.Name = $"{idmtOptions.Identity.Cookie.Name}.{tenantInfo.Identifier}";
+            });
     }
 
     private static void ConfigureIdentity(IServiceCollection services, IdmtOptions idmtOptions)
@@ -261,7 +270,6 @@ private static void ConfigureAuthentication(
         authenticationBuilder.AddIdentityCookies();
         services.ConfigureApplicationCookie(options =>
         {
-            options.Cookie.Name = idmtOptions.Identity.Cookie.Name;
             options.Cookie.HttpOnly = idmtOptions.Identity.Cookie.HttpOnly;
             options.Cookie.SecurePolicy = idmtOptions.Identity.Cookie.SecurePolicy;
             options.Cookie.SameSite = idmtOptions.Identity.Cookie.SameSite;

From cf4de37dd84b04ee0d217259aff84faf436bd21c Mon Sep 17 00:00:00 2001
From: idotta <dotta.iuri@gmail.com>
Date: Fri, 2 Jan 2026 22:58:50 -0300
Subject: [PATCH 2/2] Ensure tenant identifier is validated when configuring
 cookie options

---
 src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
index 0791495..b179378 100644
--- a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
@@ -216,8 +216,9 @@ private static void ConfigureMultiTenant(IServiceCollection services, IdmtOption
         builder.Services.ConfigurePerTenant<CookieAuthenticationOptions, IdmtTenantInfo>(
             IdentityConstants.ApplicationScheme, (options, tenantInfo) =>
             {
+                var tenantIdentifier = tenantInfo?.Identifier ?? throw new InvalidOperationException("Tenant information is required to configure cookie options.");
                 // Prevents Tenant A's tab from overwriting Tenant B's session
-                options.Cookie.Name = $"{idmtOptions.Identity.Cookie.Name}.{tenantInfo.Identifier}";
+                options.Cookie.Name = $"{idmtOptions.Identity.Cookie.Name}.{tenantIdentifier}";
             });
     }