Play session cookie not sent by Safari
Asked Answered
O

1

4

I have a single page application (SPA) on a domain a.domain.com (http) that connect to an api on b.otherdomain.com (https) build in Play 2 (scala).

After the loading of the SPA, the user enter is credentials and the app make an ajax call to https://b.otherdomain.com.com/login.

The /login set the Play cookie and the following request are well authenticated. Everything works on Chrome and Firefox (not IE because of CORS restrictions).

It should work on Safari but after the /login call, the cookie is not sent back with the following requests, so play returns "401 not authorized" responses.

Is this a bug or a misconfiguration on my server side ? Do I have to change application.session.httpOnly and application.session.secure ?

Here is what I see from the Safari inspector :

/login headers :

URL de la requête:https://b.otherdomain.com//login
Méthode de la requête:POST
Code d’état:200 OK
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Content-Type:application/x-www-form-urlencoded
Origin:http://a.domain.com.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Données du formulaireafficher l’URL codée
email:[email protected]
password: foofoo
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:31
Content-Type:text/plain; charset=utf-8
Set-Cookie:PLAY_SESSION=a71f93e3315fa9164dd7112841ccdb4a0f0c447b-     sessionId%3A6gtu7%21z.5i%218d%29v8yxy693n-s6zsuejpav_p67f9hb%7Ej%274h2de*jx3g35p%7Egzo0u;Path=/;HTTPOnly
Strict-Transport-Security:max-age=31536000

following request :

URL de la requête:https://b.otherdomain.com/users
Méthode de la requête:GET
Code d’état:401 Unauthorized
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */* 
Origin:http://a.domain.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:24
Content-Type:text/plain; charset=utf-8
Strict-Transport-Security:max-age=31536000
Olsen answered 10/1, 2013 at 11:5 Comment(1)
This sounds like the same issue in the following SO link; if its a reproducible issue, it may be a Safari bug: #14207031Crossopterygian
I
0

I had the same problem. It worked well in Chrome, but not at all in Safari. My understanding is that this is a new limitation of Safari related to third party Cookies.

It seems there are no (good) work around.

Options : - use a proxy : setup and endpoint on server a to call b server side. - make a c-Name DNS entry for b to be seen as a

You may want to try the PayPal cross domain suite : https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d

Interspace answered 5/1, 2018 at 14:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.