9

Context:

  • We have a cordova application loading an online website. (We basically use cordova for the plugins)
  • We store a cookie using $cookies.put()
  • It works fine in desktop browsers and on iOS (as long we use expiration on the cookie)

Problem:

On Android if the user kill the application with 30 seconds after $cookies.put() is called the cookie will be gone on the next reboot.

If the user wait more than 30 seconds (like 35 seconds or more) everything works fine.

Question:

How can we force the cookie to be saved instantly (or at least much faster)?

Notes:

  • Adding options on the cookie does not change anything
  • I tried to replace the system browser with crosswalk using cordova-plugin-crosswalk-webview but it does the same thing
jrobichaud
  • 1,272
  • 1
  • 11
  • 23
  • 1
    Have you tried the local storage instead? The default security options in Safari may cause problem with cookies for some users. – Emile Bergeron Oct 11 '16 at 20:29
  • 1
    The issue is on Android only. – jrobichaud Oct 11 '16 at 20:31
  • 1
    But why are you using cookies specifically? – Emile Bergeron Oct 11 '16 at 20:31
  • And my point was that some other issues could arise from using cookies. – Emile Bergeron Oct 11 '16 at 20:32
  • Local storage would indeed work, but after reading a bit, there seem to be a debate wether JWTs on localstorage vs cookies security. Interesting readings: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage `Stormpath recommends that you store your JWT in cookies for web applications, because of the additional security they provide`, https://auth0.com/blog/cookies-vs-tokens-definitive-guide/ but this would be a different question I suppose. We decided to go with Cookies for simplicity. cookies will be written by django, not javascript (so using `HttpOnly` flag). – GabLeRoux Oct 11 '16 at 20:48
  • 1
    @GabLeRoux The [article](https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage) is aimed at JWT that have sensible information in its body. So they are trying to hide it from XSS hacks, which they haven't really achieved, it's just more complicated. – Emile Bergeron Oct 11 '16 at 21:08
  • 1
    I suppose going with JWT in localstorage could be an option, but I still find the original problem weird. We should reproduce this in a minimal scenario. – GabLeRoux Oct 11 '16 at 21:25
  • Which version of Android are you using? – Leo Nikkilä Oct 12 '16 at 23:04

2 Answers2

3

I had the same problem and made a small plugin (still work in progress) to fix that.

It exposes the flush method, which will apply your cookie modifications (put and remove) to persistent memory.

link to cordova-plugin-cookie-manager

Feel free to contribute.

LeBodro
  • 71
  • 6
1

The CookieManager design in the android makes it difficult to implement. The webview and the cookiemanager which contain their own in_memory databases and are in sync to one another hence there is no need to sync the two of them.

The removeSessionCookie doesn't provide a callback or any way for it to complete and since this method has been implemented in the WebView classic versions.

Here are some solutions in which you can sync up between HttpUrlCookieManager and the android webkit cookie manager

Sync up link 1

Another thing to note here is when you use $cookie.put() it defines the cookies to be sent along with the rest of the HTTP headers to the client but if you use the third party api's to get the cookies it may not contain cookies only from the client anymore which may result in unwanted side effects.

You may refer to the link here as suggested by Author to this post - author' post and here is the link for the protocols to be used while defining the cookies link here

Here is another link that i stumbled upon which may help a bit

link here

or to use the same repository/database of the webview and the HttpUrlConnection you can create your own handler as implemented in the following stack thread Stack thread

Hope it may help you a bit.

Community
  • 1
  • 1
Pritish Vaidya
  • 21,561
  • 3
  • 58
  • 76
  • 1
    My best guess is to implement a plugin that calls `CookieManager.flush()` since `sync()` is deprecated. https://developer.android.com/reference/android/webkit/CookieManager.html#flush() – jrobichaud Oct 14 '16 at 16:38