iOS 17 ASWebAuthenticationSession, safari, and cookies

In iOS 17 beta 5, the alert controller that pops up when sharing cookies with Safari was different than it was in iOS 16. I'm not sure how many betas this was in, but it said:

Do you want <your app> to also sign in to <host> in Safari?

This allows <your app> and <host> in Safari to share information about you such as your account. <Your app> will work without this.

Cancel

Sign in to <Your app> & Safari

Only Sign in to <Your app>

In the official release of iOS 17, the alert is back to having just Cancel and Continue and the text it had previously:

<Your app> Wants to Use <host> to Sign In

This allows the app and website to share information about you.

Question is, was this a fluke in beta? Is the ability to for users to disable Safari cookies something that is coming back? Is it a setting? I can't seem to find any information about this at all. It was concerning for us in beta, because it seemed like it was going to be a potential source of login issues, but now I'm not sure what to make of it.

Thank you!

Post not yet marked as solved Up vote post of jdayapex Down vote post of jdayapex
1.4k views
Posted by
jdayapex
Reply
Add a Comment

Replies

Can you tell us more about what kinds of issues you're concerned about? Are you concerned about user confusion from the messaging? Or are there specific technical issues you're expecting may happen for your case? The more details you can provide, the more information we have to consider as we continue to improve this feature :)

Posted by
garrett-davidson
Post not yet marked as solved Up vote reply of garrett-davidson Down vote reply of garrett-davidson

  • @garrett-davidson We have a similar situation here as well. We are using AppAuth to handle login, and we had this "Do you want <your app> to also sign in to <host> in Safari?" and three options on a beta version of iOS 17. Please let me know if this is just a fluke or this might come back in the later version.

    Pachisi

  • We tried iOS17 beta 5 and beta 8, both of them got this issue.

    Pachisi
Add a Comment

@garrett-davidson Sure thing. I do think some of our users will be confused, but that is also partly due to the login provider my company uses and decisions I don't have much control over. When users are presented this choice, I expect them to choose app only, and I don't blame them. The problem we'll face is that a remember my device setting for MFA is cookie-based, and users will be unintentionally disabling that. So we'll either have to communicate that to them pro actively or handle it on the support side.

When I first saw this, I was actually excited because I thought it was going to help me make the case for dropping our login provider in favor of something more user friendly. But that's realistically a bit of a stretch and I expect many in a similar situation will just be stuck supporting it.

In terms of improving this feature, one pain point with these SSO type logins is that you also get the prompt asking for permission to sign in when a user signs out, if you actually want to clear out the cookie in safari. Followed by a modal web view quickly appearing and disappearing. So our choice there is to leave the cookie hanging, or present that experience to users. Maybe it's intentionally a disincentive to using these types of login providers, but realistically I don't think they're going away any time soon. Having some way to specify in the alert that it's for signing out would help -- maybe just an enum for sign in vs sign out.

Last thing, it would just be nice to have some warning if this change is coming so we have time to adapt. I'm still not sure if this is coming soon, and how soon, or what. And thanks for the response!

Posted by
jdayapex
Post not yet marked as solved Up vote reply of jdayapex Down vote reply of jdayapex

  • I would like to get an update on this behaviour as well @garrett-davidson. I have all the same concerns @jdayapex listed regarding the user experience as well as the impacts it has on refreshing a users sessions if there is now a another browser session use case to consider.

    MattChan
Add a Comment