Cookies are not sharing between inAppBowser and with app

[nmanikiran]

Bug Report

Cookies are not sharing between inAppBowser and with app

Problem

I have a SSO login flow i am login in the InAppBrowser and sync the cookies with the app WkWebView but not working in v 4.0.0 this issue iam observing after updating cordova v 10.

tried follwoing

• updating the InAppBrowser v 5.0.0 as well.
• plugin for sync cookies @zalaris/cordova-plugin-wkwebview-inject-cookie

What is expected to happen?

Need to sync the cookies between InAppBowser and WkWebView app and vice versa

What does actually happen?

• When login on inappbrowser cookies are not passing to wkwebview
• open any link on inappbrowser is asking for login

Information

on

Command or Code

Environment, Platform, Device

iOS & Android

Version information

iOS version 14.4
cordova v 10.0
cordova-ios v6.1

Checklist

• I searched for existing GitHub issues
• I updated all Cordova tooling to most recent version
• I included all the necessary information above

[thorsten-wolf-neptune]

Hi guys,

we are having the same requirement and face this issue as well on our side.
The cookie handling seems to be different since iOS Version 14.5 and since the usage of WKWebView.
In iOS < 14.5 and Apps still running the deprecated UIWebView this still works.

Our Environment

Cordova iOS 6.2.0
iOS 14.6
cordova-plugin-inappbrowser v 5.0.0
Usage of WkWebView

Our Flow

We have a button in our main cordova app (running WKWebView) which opens the cordova-plugin-inappbrowser.
There we trigger an Azure AD Login (login.microsoftonline.com) which in the end returns important Login Cookies for further SAML Authentication flow in our main App. We then automatically close the inappbrowser window.
After that we subsequently trigger Ajax calls against *.microsoftonline.com in our main App but those will approx. 90% of the time fail since the cookies from the inappbrowser are not being sent with the ajax calls.
However, the very strange thing is that there are cases where this works:

• If we put a timeout of 10 seconds after the inappbrowser is closed the cookies seem to be correctly synced between inappbrowser and main WKWebView and the authentication works.
• If the user clicks the button to login again after the first failure the inappbrowser seems to have still all cookies in place (no requirement to put in the password again in the inappbrowser page). If he continues the flow then and the inappbrowser is closed THEN the cookies seem to be transfered back to the main WKWebView and the next Ajax calls will have the required Cookies in the main app.

This looks to me like a timing or async issue. I have no knowledge about native iOS Development, but could it be that the Cookie stores and their synchronization are handled somehow asynchronously by iOS now and we need a callback/promise approach here?

We have tried many things to get around this issue but none of them resolved this behavior.:

• In iOS Settings --> Safari --> Advanced --> Experimental Features. We enabled "Disable Full 3rd-Party Cookie Blocking" "Disable Removal of Non-Cookie Da..."
• We have tried https://github.com/ikosta/cordova-plugin-cookies
• We have tried https://github.com/nim901/cordova-cookie-emperor
• We have tried https://github.com/zalaris/cordova-plugin-wkwebview-inject-cookie
• We have tried building with XCode 11.7 as mentioned here: Plugin seems to not work on ios 14 CWBudde/cordova-plugin-wkwebview-inject-cookie#11 (comment)
• We have tried adding NSCrossWebsiteTrackingUsageDescription in config.xml as mentioned here Plugin seems to not work on ios 14 CWBudde/cordova-plugin-wkwebview-inject-cookie#11 (comment)
• We have tried iOS 15 Beta

Any help here is very much appreciated :-)

[demym]

I am also interested in resolution of this behaviour, same problem:

cordova-ios: 6.0.0
ios > 14.5
cordova 10.0
inappbrowser 4.1.0

The same works perfectly on ios <14.5

Some workaround until it's fixed, please ?

Thanks

[thorsten-wolf-neptune]

Hi Demym,

we could solve the problem on our side which might help you as well.
Currently there are two working solutions as far as i know:

You can use the WebView Proxy from @NiklasMerz here:
GEDYSIntraWare/cordova-plugin-webview-proxy

When doing this you will need to use a custom scheme and custom hostname and need to convert all urls into "intrenal proxy URLs" (Example app://myApp/proxy/actualHttpURLURIEncoded/... ) with the function provided by the plugin:
window.WebviewProxy.convertProxyUrl(url)
By doing this the network traffic is routed through native Objective C Code which performs the calls. That native code takes care of the Cookie Syncing.
There has been an adjustment made which added this cookie sync from InAppBrowser Back to the main app: ​GEDYSIntraWare/cordova-plugin-webview-proxy#18 (comment)

Big shoutout and thanks again to @NiklasMerz who solved this problem :-)

Another solution is to use plugin https://github.com/CASTANA-Solutions/cordova-plugin-ios-xhr#readme
That is following the same principle (routing the calls through native Objective C Code) and also has a fix which solves the the cookie Syncing. The only difference is that this overrides the $.ajax call. So you don't have to first convert the URL you want to call into an "proxy URL" but us your existing code without adjustments. Also you don't need to use a custom scheme and custom hostname for this.
CASTANA-Solutions/cordova-plugin-ios-xhr@ed94fee

I hope this helps you and anyone else which has to deal with these anyoing issues :-)

cheers
Thorsten

[demym]

Thanks for the response Thorsten

That was great, i installed the cordova-plugin-ios-xhr and magically now the app works correctly !! Thanks very very much.

I imagine that when the inappbrowser will be updated i could remove the xhr plugin right ?

Anyway, thanks once again for now

[thorsten-wolf-neptune]

Hi demym,

This really made my day seeing that you could resolve the problem.
We struggled with this issue many months.

That sounds really interesting. I don't know if its possible to get a cookie Sync built into the inAppBrowser. Maybe it could be worth asking this in the
https://github.com/apache/cordova-plugin-inappbrowser
Repo.

Have a great weekend!
Thorsten

[stefano-8wave]

I've the same problem with WkWebView.
On Android cookie are already shared.
InAppBrowser will fix this?
Can i try adding this plugin? https://github.com/oracle/cordova-plugin-wkwebview-file-xhr

[thorsten-wolf-neptune]

I would suggest you try to add:
https://github.com/CASTANA-Solutions/cordova-plugin-ios-xhr

That's the fork we use and also demym i think.

I don't know if the cookie sync has also been introduced in the main plugin. I am only aware of the fork of CASTANA-Solutions.

Kind regards
Thorsten

[stefano-8wave]

I would suggest you try to add: https://github.com/CASTANA-Solutions/cordova-plugin-ios-xhr

That's the fork we use and also demym i think.

I don't know if the cookie sync has also been introduced in the main plugin. I am only aware of the fork of CASTANA-Solutions.

Kind regards Thorsten

Thanks for your answer, also adding this plugin cookies are not shared. Have i to add some specific preferences?

[thorsten-wolf-neptune]

hmm ok. are you using the $.ajax function to perform your requests in the main app? I think the plugin will overrid this function so you would need to use $.ajax.

br
Thorsten

[stefano-8wave]

i'm opening inappbrowser with "_blank" on cloudflare authentication page, so i don't know if it is an ajax request.
I also override hostname and scheme preferences with "app://localhost". It is the same or it works only with file://?

[thorsten-wolf-neptune]

but what kind of requests are you performing on your main app?

That is a difference i can tell you. In our case we are running the main app with file:// and use inappbrowser for login.microsoftonline.com as well as $.ajax calls in the main app.

With this setup and https://github.com/CASTANA-Solutions/cordova-plugin-ios-xhr cookies are properly shared in our use case.

br
Thorsten

[stefano-8wave]

on my main app I call inappbrowser with cloudflare login to authenticate and set authentication cookies.
Then i close inappbrowser. On Android cookies are correctly shared and not on iOS.
After "login" i'm using xhr request. I can try with file:// scheme.

[zarko-tg]

Hi guys,

I am wondering if anyone has a working solution for Azure / msal-browser login in a Cordova app for iOS. We're seeing a very stange issue, one described here: AzureAD/microsoft-authentication-library-for-js#4910

Is it something that should / can be fixed by Cordova / in the InAppBrowser or one (still) needs to resort to other plugins to circumvent one or another Apple/WKWebView constraint?

[vennesh]

Any solution for this problem