4

i'm trying to understand this behaviour for a university project.

I've a react web application deployed on google cloud and a Go server also deployed on google cloud.

The web application uses the API served by my Go server.

The app seems to work pretty well using Chrome and Firefox browsers in a desktop environment and on Android smartphones but when i use it with the same browsers on iOS (iPhone8) the API calls do not contain the cookie i need to authenticate the user in my Go server. Safari also does work good, so i see this behaviour only with Chrome and Firefox on my iPhone

These are the headers of two calls at the same API, the first made with Safari and the second made with Firefox:

Safari (iOS 12.0.1)

GET /example/users HTTP/1.1
Host: api-server.com
Connection: close
Accept-Language: en-gb
Cookie: default=MTU0MDM3MTA0... /*COOKIE IS SET HERE*/
Dnt: 1
Origin: https://example.com
Referer: https://example.com/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0_1 like Mac OS X) 
            AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 
            Mobile/15E148 Safari/604.1
X-Cloud-Trace-Context: 38640...

Firefox (v14.0)

GET /example/users HTTP/1.1
Host: api-server.com
Connection: close
Accept-Language: en-gb
Origin: https://example.com
Referer: https://example.com/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0_1 like Mac OS X) 
            AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/14.0b12646 
            Mobile/16A404 Safari/605.1.15
X-Cloud-Trace-Context: cb5ff...

When i send the request using fetch, i set the option credentials: 'include' but as you can see the second call does not set the cookie i need...

What am i missing?

Thank you for your help

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Ve9
  • 345
  • 3
  • 15

1 Answers1

2

I think you might have ran into this issue.

The key takeaway being:

Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen ("navigated to") by the user. This default conservative policy may confuse frame based sites that attempt to write cookies and fail.

A slightly convoluted workaround is using an iframe to load a page that sets the cookies, instead of doing that with JavaScript. Read more about it here.

Depending on what you are trying to achieve, maybe cookies aren't what you need in the first place. For example, when I ran into this same issue, I ended up using Fingerprintjs2 instead – but I only wanted cookies for telemetry; fingerprinting definitely doesn't fit every use case that cookies can cover.

Dániel Kis-Nagy
  • 2,255
  • 2
  • 18
  • 19
  • 1
    But Safari does work, it sets the cookie. Firefox and Chrome don't! – Ve9 Oct 29 '18 at 15:52
  • 1
    You should know that 3rd party browsers written for the iPhone essentially use an "embeddable" version of the rendering engine of Safari Mobile – i.e. if you launch Chrome / Firefox / Edge on iPhone, they still essentially are Safari Mobile, just with a different UI, and possibly a more restricted access to the system than Safari Mobile (the 1st party app) itself. So if you only experience your issue on iPhone (which is what I understood from your original question), even if only in 3rd party browsers, then the links I suggested might still be worth checking out :) – Dániel Kis-Nagy Oct 29 '18 at 17:23