9

On Safari in iOS 10 my video doesn't work, only showing the play-icon.

I serve the video via an asp.net server, which checks to make sure the user has logged on and have access to the video. Only, on iOS 10 the server will respond with 401 Unauthorized!

Doing some testing with the code below, I found that safari on iOS 9 sends the ".ASPXAUTH" cookie - but safari on iOS 10 doesn't!

<video crossorigin="use-credentials" controls autoplay="autoplay">
    <source src="/Server/GetVideo.ashx?id=123"/>
</video>

Why is safari not able to play my video? Is there any way to solve it?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Mystogan
  • 547
  • 4
  • 21
  • 3
    Same here. In my case it is a LAMP stack application that also does a precheck via Cookie/Session. Seems like iOS 10 does not send any cookies when it comes to loading a video. I am still searching for a solution. I can not believe that there is no way to handle that pretty common use-case. – Marco Sep 23 '16 at 13:17
  • @FlyBy have you found any solution to this yet? – Hurricane Oct 03 '16 at 15:25
  • Sorry for the late reply. It looks like you will not be able to make iOS load the videos including sessioncookies. We solved it as follows: Generate a per user unique "media token". This token needs to be appended as GET parameter to each video request that is made when using iOS 10. Use the media token to identify users when requesting video resources. This way the videos do not need to be completely public available and there is at least some minimum of "security". The link could be copied and pasted, but at least it will only be valid as long the users session is valid. – Marco Oct 10 '16 at 07:19

3 Answers3

2

We have the exact same problem with a completely different technology stack (Linux, PHP, Moodle). Our session cookie is not sent with video (and audio) requests.

We weren't able to figure out a way to make iOS behave properly here, so we are doing an emergency patch to solve the problem by detecting iOS 10 and sending it to a different script to serve the video, passing a securely encrypted version of the session cookie value inside the path to this script, and then doing various hacks so that the value from the path gets used to identify the session from within that script (instead of the nonexistent cookie). This change works but is complex, has minor security implications, and might be harder to implement on different technologies.

This seems like a major problem with iOS 10 so I would hope that it might be fixed in a future update. Also, I note that although our session cookie is not included with the video, several other cookies are included! I couldn't actually figure out which ones weren't. (One of the first things I tried was to use a timed-expiry instead of session cookie, but this didn't get sent with the video either.)

sam
  • 2,105
  • 2
  • 15
  • 18
  • I agree, this really feels like a major issue with iOS. I have sent a bug report to apple, so with hope they will fix it in a minor update. – Mystogan Sep 26 '16 at 08:57
2

Solution is to be found here:

HTML5 video/audio player on mobile Safari (iOS 7 & iOS 10) excludes cookies

Set an expire date to the cookie and the video player in iOS 10 can read back the cookie. Session cookies without an expire date can not be read back by the video player in iOS 10.

Community
  • 1
  • 1
Kalle
  • 610
  • 7
  • 14
  • Ideally I would like not to set an expiration date on the asp.net cookies, keeping them non-persistent - but nonetheless, thank you for the great answer! Edit: tested this, but still did not resolve the issue unfortunately. – Mystogan Sep 26 '16 at 08:50
2

My solution is here: https://stackoverflow.com/a/40015409/7012293

Basically you need to send a 403 forbidden if the session cookie is missing. Safari will retry with the session cookie.

Community
  • 1
  • 1
Henry Yang
  • 155
  • 1
  • 6