Safari 16.4 seems to lose session cookies on asset requests or javascript fetches.

App & System Services Core OS iOS iPadOS macOS Safari

Created Apr ’23

Replies 18

Boosts 12

Views 11k

Participants 19

On iPads after updating to iPadOS 16.4, Safari often "looses" the session cookie provided by PlayFramework: When the browser requests assets (js scripts) or when additional data is fetched by JavaScript, the session cookie is not included in the request.

These secondary requests will redirect through our IAM because no session cookie is present. The IAM redirects back to the original domain with a payload so that the login session can be resumed. A new Set-Cookie header is sent in the response with the new session cookie.

This causes the framework to issue a new CSRF token (that is part of the session cookie) which is different from the old one that was already rendered into a hidden form input. The browser stores this new token and includes it when it POSTs the form. The token in the body of the request is now different from the one in the cookies, causing the CSRF check to fail.

We have tried different devices (Android, Windows, MacBook, and iPads) on different versions. The problem only occurs with Safari on iPad/MacBook running version 16.4, 16.4.1, or 16.5 beta. The problem cannot be reproduced using Chrome on iPad. Furthermore, the problem does not occur with private browsing in Safari.

Some things we ruled out:

Same behaviour on devices managed by MDM and on open devices.
PlayFramework version is now updated to the latest 2.8 version.
Using a separate cookie for the CSRF token (instead of the play session cookie) does not make a difference either.
Modifying the Cache-Control header to cache responses more aggressively or not at all does not help.

Has anyone also experienced this or similar problems?

Answered by ihg in 750595022

The problem only occurs with Safari on iPad/MacBook running version 16.4, 16.4.1, or 16.5 beta. The problem cannot be reproduced using Chrome on iPad. Furthermore, the problem does not occur with private browsing in Safari.

We have a similar issue with Safari on iPad running version 16.4 (other versions untested) but yet be able to further debug as we have no MacBook at hand right now. But navigating will hang our page and redirect to login after refresh. So it seems to be a session cookie related regression. Deleting Safari website data resets and/or restarts the cycle. Private browsing in Safari or switching to Chrome or Edge is "helping" for now. I will try to get more details on the issue using a MacBook as soon as possible.

Boost

ArjanW OP

Jul ’23

Since this problem still exists in the latest Safari version (16.5.2) and we're having problems with this as well. I've added some details of our cookie problem when loading (rendered JavaScript) assets on https://bugs.webkit.org/show_bug.cgi?id=255524 It seems that any value in the SameSite attribute of the cookies causes this to happen. We could see that just 4 of the 7 cookies were kept during all requests and the other three get lost from time to time. Hoping for an official fix soon.

ecrist OP

Aug ’23

I updated a machine to Safari 16.6 yesterday, and discovered this issue. Same behavior as described here, sessions just seem to eventually disappear.

OG_Null_N_Void OP

Feb ’24

From an IIS server side perspective, to resolve the issue, add this iis rewrite rule to your web.config

</httpProtocol>

</rule>

</preCondition>

</preConditions>

</outboundRules>

</rewrite>