12

Maybe I'm missing something, but from Apple's documentation for NSHTTPCookieStorage, I can't help but wonder how this is safe to use.

Does this mean that cookie storage is shared across all apps on the iPhone? If my app makes an Http call that results in some cookies being saved, do all apps now have access to these cookies?

Methods like:

cookiesForURL: Returns all the receiver's cookies that will be sent to a specified URL.

make it look even more suspicious.

Can someone explain how this is OK, and what the class does?

Also, assuming my understanding is flawed and this is indeed sandboxed per-app, do calls made using NSURLRequest automatically save/retrieve cookies from this store or is it the developers responsibility to set request headers before dispatching the request?

psychotik
  • 38,153
  • 34
  • 100
  • 135
  • FYI: I tested this and it seems like it is sandboxed to your app. So, if you hit a site in a UIWebView from your app, the cookies set by the browser become available to you. But not those by other apps. I'll log a doc bug for Apple – psychotik Mar 26 '10 at 02:29
  • Apple seems to have updated the documentation, now stating that on iOS cookies are NOT shared among applications. – Nikolai Ruhe Oct 13 '10 at 15:31

3 Answers3

22

Your application only has access to cookies within its own sandbox.

Alex Reynolds
  • 95,983
  • 54
  • 240
  • 345
  • Thanks. Can you cite a source/documentation? Or do you know this based on experience? This is totally not how I interpret the documentation I linked to above, so I wanted to find out more. – psychotik Mar 26 '10 at 00:43
  • As near as I can tell, I can only access non-expired cookies created by my own application. I can't access any cookies created by Mobile Safari, for example. However, I haven't tested this too stringently, and it looks like the documentation you cited contradicts my experience. I would test this yourself: use Safari with web pages that issue cookies, then in your own app, iterate through the cookies in the singleton cookie jar and see what you find. If you don't see Safari cookies, that would contradict the documentation -- might be worth a report to http://bugreport.apple.com at that point. – Alex Reynolds Mar 26 '10 at 00:55
  • 1
    Yes, I tested this and it seems like it is sandboxed to your app. So, if you hit a site in a UIWebView from your app, the cookies set by the browser become available to you. But not those by other apps. I'll log a doc bug for Apple. – psychotik Mar 26 '10 at 02:28
  • 1
    According to documentation, **iOS Note: Cookies are not shared among applications in iOS.** This is in the "Overview" section – Alaa Nassef Jun 15 '11 at 08:49
  • In the NSHTTPCookieStorage class reference, I see a note which says "Changes made to the cookie accept policy affect all currently running applications using the cookie storage.". Does this really mean that it will affect all the running applications? In that case it's really dangerous and the developer needs to be very cautious to set it appropriately everytime. – Soumya Das Jul 21 '11 at 03:56
7

From http://developer.apple.com/iphone/library/documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/URLOverview.html:

iPhone OS Note: Cookies are not shared by applications in iPhone OS.

user347383
  • 107
  • 2
3

I guess you're confused by the fact that you can access cookies from other domains/urls. That's is technically true because your native app is "a browser" when you use UIWebView. If you load www.siteA.com and www.siteB.com in your UIWebView, both domain's cookies are available to your objc code. All apps, including mobile safari has it's own CookieJar and none of them can access the other one.

Ibrahim Okuyucu
  • 159
  • 6
  • 1
    I don' understand why my answer has a negative feedback :) cookiesForURL is exactly to get cookies for a specific URL. That URL could be any URL you mention. The twist is, it only returns the cookies in your cookie jar. If you make the user browse to facebook.com in your app, you'll have access to facebook.com cookies. – Ibrahim Okuyucu Nov 30 '10 at 06:22