New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie issues with iOS 10? #57
Comments
@nt4cats Trying to read between the lines here; is it possible you are running your own identity provider, and the developer who sent you this email is requesting you specify an expiration date for a cookie you're using? |
This isn't the first I've heard of this, I believe this has been an issue since SFSafariViewController was launched, but perhaps the specifics have changed over time. The thing is: what is a "session" cookie anyway on mobile? On a mobile device, your "session" typically lasts a really long time (potentially years, until you replace the device). It used to be that a session cookie was removed once you close the browser window, a pattern that doesn't really translate to mobile, making the definition of session cookies ambiguous when it comes to mobile. I can understand why Apple chose to implement it they way they did (isn't closing the SFSafariViewController technically closing the window after all?), but in any case their implementation choices are not in our control. My recommendation would be to use persistent cookies to achieve SSO with AppAuth. As you noted, that approach does work. I'm closing this issue since there's nothing we can do at a library level to change this one way or another. Please feel welcome to continue to share any findings you have on this topic for the knowledge of the community! |
One issue I've encountered implementing an OAuth flow that keeps users logged across SFSafariViewController and Safari is that there appears to be a delay between when persistent cookies are synced between the two. For instance, when a server-side cookie (e.g. through the |
Actually, I know of this issue, and I'm aware of a workaround. Let me cycle back around to this. |
@StevenEWright I'd love to hear more about your workaround. We're currently not regenerating the session ID after login to keep the cookies in sync between Safari and SFSafariViewController. |
@StevenEWright I'm also curios about a possible work around for this. |
Hi, |
I have iOS app and website connected to IdentityServer4, SSO works fine on iOS 9 and iOS 10.3+ but it doesn't work at all on iOS 10 - 10.2.x. Currently AppAuth performs authorization in SFSafariViewController, but when I force it to perform authorization in external Safari, SSO works fine on iOS 10 - 10.2.x. Are there any possible issues by doing authorization externally? |
Looks like there's a new solution for this in iOS 11 |
As documented here, some cookie sync delay issues have been reported in the past. Closing this due to lack of activity. |
@nt4cats , I am facing the same issue with iOS 10. Though I am receiving a cookie(without expiration date) in response header, I am unable to use the same for SSO only in Safari but it works fine in Android. The app works perfectly in android device and iOS simulator but not in iOS 10 device.Can you confirm if the issue is fixed through changing the existing cookie into a session cookie? If anyone has any other suggestions, please advice |
One of my developers sent me the following e-mail. Is anyone else experiencing this?
"After some empirical testing into the cookie sharing behavior between iOS 9 and iOS 10, I have discovered that (unlike in iOS 9) in iOS 10, SFSafariViewController session cookies are not shared with either Safari or with other SFSafariViewController instances. The current SSO cookie must be a session cookie, which is the reason that SSO does not work on iOS 10 devices. The fact that other apps have not yet reported this issue appears to be due to their not having been as comprehensive with their testing to date, rather than that it's not an issue for them.
The good news is that the fix is easy: the SSO cookie must be converted to a persistent cookie through the addition of the expires parameter. Please let us know when this change can be made available."
The text was updated successfully, but these errors were encountered: