Safari not include COOKIE to second CORS request

Question

I have frontend on https://somedomain.dev (angular) and api on https://api.somedomain.dev (so I have same domain but different subdomain - this is important because for different whole domains Safari will block all cookies). I send 3 requests to API in following order

POST /api/user/login - in response server set HttpOnly COOKIE (with authorisation token: JWT
GET /api/user/profile - to get user profile (browser should add COOKIE to request)
GET /api/buildings - to get buildings (browser should add COOKIE to request)

Problem: Safari add cookie only for GET profile and NOT add cookie to GET buildings (Chrome, Firefox and Edge add COOKIE to each GET request)

All requests details (headers etc.):

Chrome v.81.0 : login, profile and building
Safari v. 13.1 : login, profile and building
angular: each get request is send with withCredential: true flag (and of course this works in Chrome)

Question: Why Safari not add cookie to buildings request and what to do to force Safari (using javascript or server code) to add cookie to all requests (after login) ?

And you are using `withCredentials` on both requests? – David Apr 23 '20 at 12:56 — David, Apr 23 '20 at 12:56
@David - yes - on all requests (I use interceptor do do it) – Kamil Kiełczewski Apr 23 '20 at 12:58 — Kamil Kiełczewski, Apr 23 '20 at 12:58

Kamil Kiełczewski · Accepted Answer · 2020-04-23T13:19:26.880

2

Ok - after loooong analysing requests finally I found the problem - in login response the server set in Set-Cookie header the cookie life time by

Max-Age: 43200;

this works on Chrome, Firefox and Edge - but NOT on Safari (probably Safari treat this as 1s cookie life-time and this is why it add cookie only for first GET request) - so I change it to

max-age=43200;

and now works everywhere :)

edited Apr 23 '20 at 13:19

answered Apr 23 '20 at 12:54

Kamil Kiełczewski

85,173
29
368
345

Safari not include COOKIE to second CORS request

1 Answers1

Linked