Search results for

ASWebAuthenticationSession cookie

1,295 results found

Post

Replies

Boosts

Views

Activity

Reply to Files Provider Extension Domain:Process mapping
I am curious why you need to rely on the domain:process mapping though, if you don't mind to share. Thanks for the response! We don't need to rely on domain:process mapping, but I'm trying to understand what we can rely on. For example, each domain is a separate account - things like cookies, caches, etc are probably not to be shared across accounts. I'm looking at the header for NSFileProviderDomain right now, and I see this comment: On the extension side, a separate instance of NSFileProviderExtension will be created for each @c NSFileProviderDomain registered. In that case, the @c NSFileProviderExtension.domain properties will indicate which domain the NSFileProviderExtension belongs to (or nil if none). This is what led me to believe that all of the calls for a particular domain would be routed to a single process. I'm finding that not to be the case - calls for any domain can come to any Files Extension process, which would seem to contradict that comment as I understand it. Is that as expected?
Topic: App & System Services SubTopic: Core OS Tags:
Jun ’25
How to delete cookies on IOS18
Hello, I have encountered an issue with an iPhone 15PM with iOS 18.5. The NSHTTPCookieStorage failed to clear cookies, but even after clearing them, I was still able to retrieve them. However, on the same system It is normal on iPhone 14PM. I would like to know the specific reason and whether there are any adaptation related issues. Following code: NSHTTPCookie *cookie; NSHTTPCookieStorage *storage = [NSHTTPCookieStorage sharedHTTPCookieStorage]; for (cookie in [storage cookies]) { [storage deleteCookie:cookie]; }
Topic: App & System Services SubTopic: Networking Tags:
1
0
129
May ’25
Custom Default Browser Not Receiving ASWebAuthenticationSession SSO After Launching Safari/Chrome
Hi Apple Developer Support, I’m building a macOS app that acts as a default browser. I can confirm that I can set it correctly through System Settings → Default Web Browser. The app implements ASWebAuthenticationSessionWebBrowserSessionHandling to intercept Single Sign-On (SSO) flows. To handle requests, it presents SSO pages in a WKWebView embedded in a window that this app creates and owns - this works perfectly for the initial login flow. However, after I close my WebView window and then launch Safari or Chrome, any subsequent SSO requests open in the newly-launched browser instead of my custom browser, even though it remains selected as the default in System Settings. I’d appreciate any insight on why the system “hands off” to Safari/Chrome in this scenario, and how I can keep my app consistently intercepting all ASWebAuthenticationSession requests. Here are the steps that break down the issue: Launch & confirm that the custom default browser app is the default browser in System Settings → De
Topic: Privacy & Security SubTopic: General Tags:
0
0
101
May ’25
ssue with Session Sharing Between Safari and ASWebAuthenticationSession
We are experiencing an issue with session sharing on iOS and would appreciate your guidance. We operate and control our own OpenID Connect (OIDC) server. Our iOS application uses ASWebAuthenticationSession to authenticate users. We're unable to get the authentication session to be shared between the Safari app and the app's ASWebAuthenticationSession. This results in users having to re-authenticate despite being logged in via Safari. We've attempted various configurations related to cookie SameSite settings. These adjustments resolved the session sharing issue on Android using Chrome Custom Tabs. However, no changes we've tried have enabled session sharing to work as expected on iOS. According to documentation from Apple, Microsoft, Okta, and Auth0, session sharing between Safari and ASWebAuthenticationSession should work. Question: Are there any additional settings, configurations, or platform limitations we should be aware of that could impact session sharing on iOS? Wher
Topic: UI Frameworks SubTopic: General
0
0
69
May ’25
On iOS 18.0, when setting a cookie with SameSite=None; Secure, the attribute does not take effect and is automatically converted to SameSite=Lax.
On iPhone 16 running iOS 18.0(Xcode 16.2), cookies configured with SameSite=None; Secure fail to apply correctly—iOS forcibly converts the attribute to SameSite=Lax. As a result, cross-site requests from H5 pages within our app cannot carry the required cookies, causing failures. Can anyone help me on this? Thanks in advance.
Topic: Safari & Web SubTopic: General Tags:
1
0
157
May ’25
Safari falsely flags our secure site (outdoorgala.com) as deceptive — how to request a review
Hi Apple Devs & WebKit Team, We operate https://outdoorgala.com — a verified, HTTPS-secure Canadian ecommerce site focused on elite outdoor safety gear. We're Indigenous-owned, based in Alberta, and take customer trust and compliance seriously. However, Safari (iOS + macOS) is falsely flagging our site as “deceptive,” preventing customers from accessing us — even though: We use GoDaddy Website Builder with no redirections or malware All product links are clean, HTTPS-secure, and tracked ethically We recently implemented a fully compliant cookie banner (Accept/Decline logic) A public security.txt and OpenPGP key has been published: https://outdoorgala.com/security No phishing, malware, or cloaking behavior exists on the site We’ve already submitted a review via: ➡️ https://websitereview.apple.com And filed a bug report via Feedback Assistant (FB17608544) What else can be done to speed up review or get flagged domains unblocked in Safari? This is hurting our business and blocking consumer access —
Topic: Safari & Web SubTopic: General Tags:
0
0
141
May ’25
Session cookie issue in Apple's Webkit
Dears, We are facing some issue in ios 18.4.1. Recently some of our end users who updated their ios devices to 18.4.1 have experienced random 403 errors in runtime. as per our analysis, We identified that these errors are associated with CSRF token mismatch. After successful login, the user's CSRF token is causing issue and it was changed in runtime, this causes the cookie mismatch, and the users is getting 403 errors, and the user session is getting invalid suddenly. let me know if anyone facing the same issue in ios 18.4.1 and let me know Is there any workaround for this issue. Thanks.
Topic: Safari & Web SubTopic: General Tags:
0
0
136
May ’25
ASWebAuthenticationSession crash after window closes on macOS
I'm trying to use ASWebAuthenticationSession on macOS but there is a weird crash and I have no idea what to do. It looks like there is a main thread check in a framework code that I have no control over. Any help would be appreciated. Thank you in advance. The stack of crashed thread has no symbols, even for supposedly my code in OAuthClient.authenticate. macOS 15.4.1 (24E263) Xcode Version 16.3 (16E140) Thread 11: EXC_BREAKPOINT (code=1, subcode=0x10039bb04) Thread 12 Queue : com.apple.NSXPCConnection.m-user.com.apple.SafariLaunchAgent (serial) #0 0x0000000100b17b04 in _dispatch_assert_queue_fail () #1 0x0000000100b52834 in dispatch_assert_queue$V2.cold.1 () #2 0x0000000100b17a88 in dispatch_assert_queue () #3 0x000000027db5f3e8 in swift_task_isCurrentExecutorWithFlagsImpl () #4 0x00000001022c7754 in closure #1 in closure #1 in OAuthClient.authenticate() () #5 0x00000001022d0c98 in thunk for @escaping @callee_guaranteed (@in_guaranteed URL?, @guaranteed Error?) -> () () #6 0x00000001c7215a34 in _
Topic: Privacy & Security SubTopic: General Tags:
1
0
126
May ’25
When using WKWebView in iOS 18.0 (Xcode 16.2) to open a local H5 page, the request for server resources cannot carry cookies.
In our project, we download H5 resources to the local device and then open the H5 pages through WKWebView(-loadFileURL:allowingReadAccessToURL:). When the H5 pages request server resources, cookies are required. Before opening the H5 page, we set the required cookies in the WKHTTPCookieStore using the setCookie method. Additionally, we set the allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs properties for the WebView. On other mobile phones, the cookies can be carried normally. However, on mobile phones running the iOS 18.0 system, the cookies cannot be carried. Moreover, this problem only emerged after we upgraded Xcode to version 16.2. We've also tried injecting cookies via JavaScript, but it didn't work(document.cookie = xx=${xx}; path=/; expires=weekday, xx jan xxxx xx:xx:xx GMT; Domain=example.com; Secure; SameSite=None ;). Can anyone help me on this? Thanks in advance.
Topic: App & System Services SubTopic: Networking Tags:
2
0
198
May ’25
Safari Extension: Cookie Header Missing in Background Fetch from Non-Default User Profile (Works in Default Profile)
When our Safari Web Extension makes a api request from its background script (registered via scripts in manifest.json, e.g., background: { scripts: [js/background.bundle.js] }) to our authenticated API endpoint (https://api-domain/user), the Cookie header is not included in the request. This occurs only when the extension is running within a non-default Safari User Profile. This causes our API to treat the user as unauthenticated. The exact same extension code, manifest, and API call work correctly (Cookie header is present and user is authenticated) when the extension is running in the Default Safari User Profile.
Topic: Safari & Web SubTopic: General Tags:
0
0
125
May ’25
Reply to Mobile apps and consent dialogue when logging in
I think a few different concepts are getting mixed up here. There's the concept of Associated Domains, where you can form a two-way association between an app and a website. Setting this up when you control both the app and the website lets the system provide some additional security-sensitive features, like improved password AutoFill and passkey support. ASWebAuthenticationSession itself currently doesn't check anything with Associated Domains. It is mainly built for signing in to third party services, where the app and the website are owned by separate entities. The consent prompt for ASWebAuthenticationSession is because it allows the app to share data with Safari, which is something apps can't normally do without user consent. The only way to avoid the prompt is to set prefersEphemeralWebBrowserSession = true, though that also means no state can be shared. There are two potential other options worth exploring: If you own all the apps that you want to share state, you could use App Groups
Topic: Privacy & Security SubTopic: General Tags:
May ’25
Reply to Share session from ASWebAuthenticationSession with WKWebView
ASWebAuthenticationSession is a full web browser instance, with access to web browser features and the web browser's cookies. WKWebView on the other hand is a way to embed web content inside another app. Conceptually, ASWebAuthenticationSession is managed by Safari, and WKWebView is managed by your app. There's no way to share cookies between the two. If you control the service you're signing in to, you could set up Associated Domains for your app and use WKWebView entirely. Using Associated Domains would mean you get the best AutoFill experience in your WKWebView, and have access to features like passkeys. If not, your options are more limited. If the service supports it, you may be able to use the auth token you receive from ASWebAuthenticationSession to bootstrap the session in the WKWebView, but depending on the service that may or may not be a viable option.
Topic: Privacy & Security SubTopic: General Tags:
May ’25