Cookies are not send with the request in Safari on iPhone and iPad

Question

Created Oct ’17

Replies 3

Boosts 0

Views 12k

Participants 3

I am struggling with one issue for past few days. For my web application, cookies are used to recognize the machine. If proper cookies are not passed with the request, then the application will go through the second factor authentication(ie user has to enter OTP to login).

Only on iPhone and iPad, users are being asked to enter the OTP every times. I can see that cookies are created on iPhone/iPad, but it is not being send to server with the subsequent requests. This behavior is only if we closes and re-open the safari browser. If I did not close Safari, then cookies are being passed without any issues and application is working as expected.

We do not have this issue in Android/MacOS/Windows OS.

If any one have any idea, please help me.

NOTE: We are using secure HttpOnly persistent cookies. The expiration of the cookie is one year.

Cookie creation code is as follows

private void CreateCookie(HttpResponseBase aobjResponse, string astrCookieKey, string astrCookieValue, DateTime adtCookieExpiry) {

     HttpCookie lobjCookie = new HttpCookie(astrCookieKey)

          Expires = adtCookieExpiry,

          Value = astrCookieValue,

          HttpOnly = true,

};

     if (aobjResponse.Cookies.Get(astrCookieKey) != null)

          aobjResponse.Cookies.Remove(astrCookieKey);

     aobjResponse.Cookies.Add(lobjCookie);

Boost

Answer 1

jascolley OP

Oct ’17

Your issue could possibly be related to checking the response object vs. the request object for the presence of the cookie. When checking the response object for the cookie .NET automatically creates the cookie. I came across this good post about this while researching my below issue...

https://stackoverflow.com/questions/456807/asp-mvc-cookies-not-persisting/590258#590258

We are seeing this same exact behavior with our web application but we are using the request object and still seeing it. It didn't start occurring until upgrading to iOS 11. Also, we are only seeing the issue if adding the app to home screen. If you run it in Safari in the mobile browser it seems to work fine so far. We are also experiencing a similar issue where if you logout and expire the httponly cookie from the service, the app resends the cookie on subsequent requests thus resulting in the user being automatically logged in again. Have you been able to figure anything out with this so far?

1

Answer 2

ginusiva OP

Oct ’17

Thanks for your reply. I have tried this option, but no luck yet.

For me, I can see the cookie created in device with size of 5.1 MB for the domain which I am working on. But I can not see this same cookie with the request object for the subsequent request.

If I logout and login again without closing the safari browser, then I can see the cookies is there in the Request object. But if I closes the safari browser and re-opens, then the cookies is not there with the Request object.

0

Answer 3

darklight3it OP

Dec ’17

We are experiencing a very similar issue on an .NET MVC web application, any news? The bug seems to affect a small percentage of user (with various Apple User Agent), from our

logs it seem that the browser do not send all the cookies through the headers of XMLHttpRequest.

Note: Also our missing cookie are HtppOnly

We will check the article on getting cookie values from response as you suggest.

We tried to see if this could be compatible to a header/cookie size limit on the Safari browser (although modern browser seem to have a pretty high size limits),

we were able to reproduce the issue adding a batch of cookies to the browser. Unfortunately we could not figure out when and what cookie Safari will delete and there'

no documentation on this subject.

Any other ideas?

0