2

When I login, I return to the browser:

Overview
URL: https://subdomain.domain.de:8444/api/auth/login
Status: 200
Source: Network
Adresse: xxx.xxx.x.xx:8444
Initiator: 
xhr.js:177


Request
POST /api/auth/login HTTP/1.1
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=utf-8
Origin: https://subdomain.domain.de
Content-Length: 62
Accept-Language: de-de
Host: subdomain.domain.de:8444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
Referer: https://subdomain.domain.de/login
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response
HTTP/1.1 200
Access-Control-Allow-Origin: https://subdomain.domain.de
Content-Type: application/json;charset=UTF-8
Pragma: no-cache
Set-Cookie: accessToken=FycxgaSUgHnBlzMqYn/qsBEm5YBcmX52/eYbm+daUHPP1Fa7edawdawdawO1EdJlz9nyP5FrlPYnh/b//SZJRDs0Am8sGF+UZ+XffvPra8awdawd9+RbHiN0WcL+9T4xLlueMxd5bNVRVKHqeTonSK02Ym0cLxfALOeHrmbdqLS95uNOlzFYbjOuGV7bhwLGk5bavNPv9IWKqNAILAbkkw+gdawdawduM+BXdGE7KFbUgxvGmDw==; Path=/; Domain=subdomain.domain.de; Max-Age=PT448343981H30M29S; Expires=Sat, 16 Apr 2072 22:57:46 GMT; Secure; HttpOnly;SameSite=Lax
Set-Cookie: refreshToken=FycxgaSUgHnBlzMqYn/qsBEm5YBawdawdadawdupnO1EdJlz9nyP5FrlPYnh/b//SZJRDs0Am8sGF+UZ+XffvPra84jWTk9+RbHiM1+aNElVA8jXewqlexh7tGKuawdawdv4pxzC/RsDoGS/Jc8Xkzg133dYMCr7mRHlkU7jijoJrPYUAayiewVIMPUh/IE8sGUqIMKbiGoqAJAawdawdawdawdawdaw03GS4XgbwFj76V2AAAw==; Path=/; Domain=subdomain.domain.de; Max-Age=PT450502981H30M31S; Expires=Fri, 15 Jul 2072 21:57:46 GMT; Secure; HttpOnly;SameSite=Lax
X-XSS-Protection: 1; mode=block
Expires: 0
Transfer-Encoding: Identity
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Mon, 22 Feb 2021 22:58:53 GMT
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Request data
MIME-Typ: application/json
Codierung: utf-8
Anfragedaten:

I also see, the cookie in the response:

enter image description here

But the cookies are not saved in the browser. This is a first party cookie which I am creating in my spring backend.

In Spring Boot, I create the cookies like this:

import org.springframework.http.HttpCookie;
import org.springframework.http.ResponseCookie;


@Component
public class CookieUtil {

    public HttpCookie createAccessTokenCookie(String token, Long duration) {
        return ResponseCookie.from("accessToken", token).maxAge(duration).httpOnly(true).path("/").build();
    }

    public HttpCookie createRefreshTokenCookie(String token, Long duration) {
        return ResponseCookie.from("refreshToken", token).maxAge(duration).httpOnly(true).path("/").build();
    }
}
farahm
  • 1,326
  • 6
  • 32
  • 70
  • Hi @farahm. At first sight, all looks fine. Are the cookies saved in other browsers? Although I thing `Lax` is preferable (please, see [this](https://blog.heroku.com/chrome-changes-samesite-cookie)), you can try to set your cookies `SameSite` attribute to `None`. Although for iOS, perhaps this Safari [issue](https://developer.apple.com/forums/thread/665823) can be related. – jccampanero Feb 23 '21 at 22:58
  • Hi @jccampanero. Thanks for the reply. I give SameSite=None a try – farahm Feb 23 '21 at 23:02
  • Thank you @farahm. I hope it helps. Please, review the mentioned article if you have some time, I think it is very interesting. – jccampanero Feb 23 '21 at 23:13
  • I tried `SameSite=none` but the problem still exists – farahm Feb 23 '21 at 23:16
  • I am sorry to hear that. And, does it work in other browsers? – jccampanero Feb 23 '21 at 23:30
  • Yes it works in Chrome and Firefox – farahm Feb 23 '21 at 23:33
  • But after setting `SameSite=none` it also stopped working in Chrome – farahm Feb 23 '21 at 23:34
  • It makes sense, recent versions of Chrome require the use of `Lax`. And, maybe the issue reported about Safari I indicated in the first comment? Please, verify the security preferences for your site as well, perhaps could be another possible reason of the problem. – jccampanero Feb 23 '21 at 23:42
  • I am using Safari 13.1 the issue in your comment is regarding Safari 14.x – farahm Feb 24 '21 at 00:02
  • This should not be a problem, but in case of, you could try to enforce the port on the domain part of the cookie `; Domain=subdomain.domain.de:8444;`. As i said it should not eb a problem and the cookies should be valid for all ports, but... – regilero Feb 26 '21 at 08:33
  • Hi @farahm. I apologize for the late response. Did you finally solve the problem? I was dig into the issue, and in fact there are tons of possible reasons for the problem. Any way, I would suggest you to try to set the domain for the cookie to something like `.domain.de` or `domain.de`. Please, pay attention - sorry, maybe it is normal - to the fact that in your screenshot it seems that the value for max age is not printed. Maybe it is not important, but try to provide some value for it, for testing purposes. Please, can you try? – jccampanero Mar 02 '21 at 22:39
  • Hi @jccampanero, thanks for the reply. I solved it by removing max age value from the cookie. Now its only valid until session end and Safari is accepting it. If you want you can answer this question with this answer and I will give you the bounty – farahm Mar 02 '21 at 22:43
  • Hi @farahm. That is great!! I am very happy to hear that you solved the problem. Yes, certainly it looks strange in the screen shot. Please, see this related [SO question](https://stackoverflow.com/questions/61386688/safari-not-include-cookie-to-second-cors-request), maybe it could be of relevance, the OP solved the problem by adjusting the cookie max age. You are very generous, I really appreciate that but please, do not worry, you found the answer on your own, it will not be fair to give me the bounty. Any way, thank you very much!! – jccampanero Mar 02 '21 at 22:47
  • Yes, my answer is just a temporary solution. It would be better to have the cookie be valid for more then the session. But anyways, you spend a lot of time helping me in this problem. So I really would like to give you the bounty – farahm Mar 02 '21 at 23:19
  • 1
    Thank you very much @farahm. I will write an answer in that case. I really appreciate that, you are very generous. Did you see the SO question I mentioned in my previous comment related with the format of the max age information? Perhaps not, but maybe it can be related. – jccampanero Mar 02 '21 at 23:25
  • Thank you very much @farahm. I'm sorry I wasn't very helpful this time. Please do not hesitate to contact me if you need help on this or any other subject. – jccampanero Mar 03 '21 at 09:33
  • Hi @jccampanero. I need help with a problem. Could you please help me? – farahm May 27 '21 at 21:11
  • Hi @farahm. It is nice to hear from you again. Sure, I will be happy to help you if I can. Please, what is the problem? – jccampanero May 27 '21 at 21:20
  • Thank you very much. I need some help with bi-directional relations including orphanRemovals. Can we have a chat? – farahm May 27 '21 at 21:24
  • Maybe tomorrow? – farahm May 27 '21 at 21:58
  • 1
    Sorry @farahm. I just realized your comments, as you did not mentioned me, SO did not alert me. I am very sorry anyway. Yes, of course, as you wish. Same time? About 23:00 CET? – jccampanero May 27 '21 at 22:40
  • Oh im sorry @jccampanero. Did not know that I have to do that in order to you getting alert. Yes thats fine. Same time. Thank you very much. – farahm May 28 '21 at 01:59
  • Hi @farahm. There is no need to apologize. On the contrary, I am sorry for not seeing your comment. Are you in the chat? – jccampanero May 28 '21 at 21:06
  • Hi @jccampanero, yes im coming into chat – farahm May 28 '21 at 21:08
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/233030/discussion-between-farahm-and-jccampanero). – farahm May 28 '21 at 21:08

2 Answers2

6

There are a great number of problems related with Safari and the use of cookies, if you look up for information related with the problem you will find multiples bugs and solutions, ones appropriate for some cases, and ones for another.

Although Lax is preferable (please, see this great article), one thing you can try is setting your cookies SameSite attribute to None. Be aware that this change maybe could be relevant and affect the application behavior in other browsers, especially Chrome.

Another thing you can try is setting the domain for the cookie to something like .domain.de or domain.de to avoid any possible subdomain related problem.

Finally, please, pay attention to the fact that in your screenshot it seems that the value for max age is not printed correctly. Probably not but perhaps a similar issue, for the same version of Safari you indicated, has been reported here on SO in this question: the OP solve the problem by adjusting the value of the max age cookie attribute. Please, try different values for that information, maybe it works.

According to your comments, for future reference, in some way the problem seems related actually with the cookie max age: removing max age value from the cookie looks like a temporary workaround for the problem.

jccampanero
  • 50,989
  • 3
  • 20
  • 49
  • 1
    I was facing this issue, my site has the option of longterm cookies that sets MaxAge and session cookies that don't. Looks like MaxAge was my issue since I could login with the single session option – Billcountry Dec 23 '22 at 17:46
  • 1
    I'd like to add another potential culprit. In the case I experienced today where cookes were blocked both on all IOS browsers as on Safari, yet working in desktop Chrome/Brave/Firefox/... the issue was that Safari seems to not save the cookie if a 'path' is set. Something I assume many do not use very often so I didn't find anything yet about this and wanted to mention it in case someone else encounters it. When I removed the path, both IOS browsers as safari started working. – Brecht De Rooms Jun 23 '23 at 08:06
0

In safari you ll have to ask the user to allow the use of your cookie.

As of ITP 2.1, Safari uses its machine-learning magic to identify which first-party cookies can be used for tracking. Then, it blocks cookies unless you use the Storage Access API to ask users to allow the use of your cookie.

you can further read on how to use this here https://developer.mozilla.org/en-US/docs/Web/API/Document/requestStorageAccess

wave
  • 61
  • 5