I have application written in asp.net MVC (NetFramework 4.7.2).
When I enter my credential and click Login button
POST to login page return 302 (with auth cookie)
REDIRECT to action returning dashboard (with auth cookie)
Everything works over HTTP, I can use my application.
But over HTTPS after dashboard is loaded auth cookie dissapears (there is no code on JS, maybe browser do it). Cookie has enabled flags HttpOnly and Secure. I use the newest Chrome to browser my app.
It's probably related with console error
Clear-Site-Data" header on '': Unrecognized type "*"
I don't why it is added, I never have such header in code. Is it possible to browser do it?
If the browser drops the cookie it will usually write a message to the dev console about why it is dropping it. Most browsers are very specific about the reason for dropping cookies.
In your case, there seems like the response contains this header: Clear-Site-Data. It's a standard header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data The backend must be returning this header for some reason. Then the browser correctly drops the cookie as instructed.
It's interesting though, why the browser complains about the asterisk value. According to the docs this is one of allowed values for this header.
I'm in the midst of integrating an app with Ionic (v5) /Capacitor (v2.4.2). On iOS, my URL is capacitor://localhost. When I'm trying to load up iframes from a third-party source, I notice that the request is always failing because the Referer field isn't getting sent from the WKWebView, as compared to what I would expect when I do the same, but load up the files from my desktop browser.
Reading the link on the Referer field, I see that the browser doesn't send in the Referer field in the browser if the protocol is not http or https.
Looking at Google/SO answers, I can't find any previous answers that might address my use case, but I'm trying to be able to load up the iframes for my credit card form on my Ionic integration.
Are there any ways to make this work, and is my understanding of the bottleneck correct, where it's the fact that the custom URI schema present on my Ionic iOS app is causing the Referer from not being sent in the GET request?
I notice that it is being sent in the POST requests, so I am really curious here.. The Origin was being sent in the POST requests, apologies.
Would appreciate any advice on this.
In Safari browser, Authorization header is getting scraped when request is redirected. It is working in all other browser like Chrome, IE.
I am doing one ajax call where I pass the Authorization header, this API redirect to the other API, with status code 302, in all other browser Authorization Header is persisted when request is redirected. but in safari browser it is not persisted so the redirected API gives 401 unauthorized response.
I am using safari 12.1.2 version. I have also tried to change the request redirect mode by setting requestOptions.redirect to manual and handling redirection manually but that also not worked, it was giving 401 in that model also.
Any one have faced this type of issue ? I have referred multiple resources but not found any solution.
Please Help.
Lets say I have an application on foo.com domain.
I am doing user authorization to api.boo.com using the Fetch method with credentials flag as include and CORS set as well.
After successful authorization I am getting a session cookie. I need that cookie to have an access to another API's methods on api.boo.com domain.
This flow works fine on almost every browser. The problem is on iPhone's Safari. Safari has default option (Settings -> Safari -> Block Cookies) setted as "Allow from Websistes I Visit" with this configuration Safari doesn't send the session cookie when I am calling another API's methods so it looks like I am unauthorized.
The simplest solution is to change the cookie policy to "Always Allow". After that a session cookie is being sent. However, I can't ask every user of my application to do that.
Do you have any ideas how to make this flow working properly on iPhone's Safari?
I have a page loading up in MobileSafari which communicated with another server via CORS.
In desktop browsers (tested Chrome and Safari), I am able to log in, get a session cookie, and have that session cookie be sent back for subsequent requests so that I may be authenticated with all API calls.
However, when I login via Mobile Safari, the cookie does not get sent back on subsequent requests.
I'm using Charles Proxy to spy on what's going on, and it tells me:
POST https://myremoteserver.com/sessions.json passes up my login info
It succeeds and response is received with a valid Set-Cookie header.
GET https://myremoteserver.com/checkout.json is requested, without a Cookie request header.
Server responds as if I am not logged in.
I'm using this snippet with Zepto.js to ensure that the withCredentials: true is properly setup on the XHR object. (pardon the coffeescript)
# Add withCredentials:true to the xhr object to send the remote server our cookies.
xhrFactory = $.ajaxSettings.xhr
$.ajaxSettings.xhr = ->
xhr = xhrFactory.apply(this, arguments)
xhr.withCredentials = yes
xhr
And that snippet works great in desktop browsers, and before I added it I was not able to preserve the session cookies in those desktop browsers.
Is there some quirk in MobileSafari that prevents this from working like desktop browsers? Why does it not work in the same way?
Edit!
here is my CORS headers setup in my rails 2.3 app, fairly standard stuff I believe
def add_cors_headers
if valid_cors_domain
headers['Access-Control-Allow-Origin'] = request.headers['HTTP_ORIGIN']
headers['Access-Control-Expose-Headers'] = 'ETag'
headers['Access-Control-Allow-Methods'] = 'GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD'
headers['Access-Control-Allow-Headers'] = '*,x-requested-with,Content-Type,If-Modified-Since,If-None-Match'
headers['Access-Control-Allow-Credentials'] = 'true'
headers['Access-Control-Max-Age'] = '86400'
end
end
Also today desktop Safari on Mountain Lion started not to send the cookie, behaving just like MobileSafari. I'm not entirely sure if my assessment yesterday was inaccurate, or perhaps Apple is just trolling me...
Also could this be affected by using https:// at the remote url?
I don't know if this solution will work or is acceptable to you but I had the same problem with mobile Safari and a JSONP app. It seemed that Safari was not set to accept third party cookies. I went to Settings > Safari > Accept Cookies and set 'Always' and the problem evaporated. Good luck.
Can I set cookies in a response from a jsonp request?
I believe you are experiencing what I have been seeing in my app. My issue, was caused because iOS Safari, comes with a default option "Prevent Cross-Site Tracking" enabled by default that is causing the browser to block ALL third party cookies, even cookies that are issued by your back-end server from a different domain and CORS is configured correctly.
The only solution to this problem I found was to use a proxy in production like I did in dev. I accomplished this in Azure with Azure Functions and making all request go through a proxy. At that point iOS Safari did not block my cookies everything was set as expected.
I wrote about it in my blog https://medium.com/#omikolaj1/complete-guide-to-deploying-angular-and-asp-net-33a0976d0ec1
You didn't mention whether the remote server is under a different domain or just a different subdomain. I assume is under a different domain.
As #schellsan pointed out you can't set/write cookies to a different domain even if the CORS policy allows it due the 3rd party cookies restriction on safari. It's the latest safari restriction. I guess Firefox is about to do the same.
Workarounds I'm currently evaluating:
Use a redirect on the remote server so that when the client is redirected (the remote URL is in the browser bar) you can set the cookie
Use a custom header
I was running into the same problem.
My setup was:
AngularJS (Ionic) App on Server A with domain a.com
NodeJS with Passport JS as Backend on Server B with domain b.com
The login with the cookie went well on every browser, except Mobile Safari on iOS. Also the change of the mobile cookie (Do not track) settings in iOS did not had any impact on the issue.
Solution was to set a CNAME DNS Record
backend.a.com CNAME b.com
Open an address that sets the cookie via an iFrame - this will set the cookie.