Secure cookies are lost when the Cordova iOS App is closed

Question

I am using Cordova (PhoneGap) and cordova-plugin-ionic-webview to use the fine tuned Ionic Engine (that uses WKWebview).

I am able to use secure and httponly Auth Cookies in order to Log In and everything works while I'm using the iOS App. When I close the App though the cookies are lost.

How can I prevent this?

This issue is not there on Android (and the localStorage correctly keeps its state on both platforms).

Still unsolved issue on their Github: https://github.com/ionic-team/cordova-plugin-ionic-webview/issues/87

check cookie expiration date if you get cookie with no expiration date it will be deleted automatically after session finished. — canister_exister, May 15 '19 at 21:50
It's not the cookie expiration date, it's in the future and work on Android :( — Gabe, May 16 '19 at 03:08
check this https://stackoverflow.com/a/52490200/4311935. You need to sync cookies before do any web loads — canister_exister, May 16 '19 at 15:18

score 1 · Answer 1 · answered May 16 '19 at 14:02

I think by default it now seems to install WKWebView on ionic or cordova projects, at least in my case anyway (it appears as a plugin in the plugins folder). So I uninstall the plugin and added this line into my config.xml:

<preference name="CordovaWebViewEngine" value="CDVUIWebViewEngine" />

I then set this globally for my HTTP provider:

$httpProvider.defaults.withCredentials = true;

or this can be done this way for each HTTP requests you have:

$http.post(url, {withCredentials: true, ...})

I then set this on my .php/server files:

header("Access-Control-Allow-Origin: http://localhost:8100"); // make sure this is the same on the client side
header("Access-Control-Allow-Headers: content-type,authorization");
header("Access-Control-Allow-Credentials: true");

The fixes mentioned above allows me to keep the same cookies/session throughout each page/requests in my application.

I hope this helps.

Edit:

From what I could find when I was having this issue, there was no way of persisting the cookies/session using WKWebView as Apple has not added a fix (I could be completely wrong, it's just what I found at that point. I think you either had to revert back to UIWebView or use a different method entirely.

The problem I have is not about using Auth cookies while using the App, that correctly works. The issue is that when I close the app those cookies are gone. I seem to have the same issue with the localstorage of the domain of an iframe injected from a third party trusted domain. On Android it is preserved and on IOS it is cleared on app force close. I solved using a workaround that allows me to set the missing value in the localstorage of that third party domain. I store and read from my keychain the sensitive information that I need to store there. — Gabe, May 16 '19 at 21:17

Secure cookies are lost when the Cordova iOS App is closed

1 Answers1