Safari's Responsive Design Mode causes sign-out

[distantnative]

BTW Maybe another cookie related bug: If I log into the panel and then switch with Option + Command + R into Safari's Responsive Design Mode and then do a reload, I am immediately logged out. Even on a fresh installation, even with @distantnative 's patch. So unfortunately if you want to debug something in the frontend with logged in users in Safari's Responsive Design Mode – no chance.

I've checked with other web apps (Piwik, Harvest) for the same behaviour, but there I am staying logged-in. I googled briefly if Safari's Responsive Design Mode is known for deleting / altering cookies but so far I found nothing.

(Source: https://forum.getkirby.com/t/safaris-responsive-design-mode-causes-panel-sign-out/3325)

[bastianallgeier]

I think it's related to the user agent string. We use the agent string to create a finger print to avoid session hijacking. It's an OWASP recommendation and I don't know why the other's don't do this as well. We might need to reconsider it though. @lukasbestle what do you think about this?

[lukasbestle]

Oh yes, that must be it.

I'm not sure either. I think we should keep the fingerprinting for security. But maybe we could remove the user agent from it as it can be faked anyway. The IP address is probably a better fingerprint.