Do Mobile Browsers send httpOnly cookies via the HTML5 Audio-Tag?

Asked 30/4, 2013 at 23:27 Answered 30/6, 2015 at 21:17

html5-audio mobile-browser cookie-httponly

I try to play some mp3 files via the html5 audio-tag. For the desktop this works great (with Chrome), but when it comes to the mobile browsers (also Chrome (for Android)), there seem to be some difficulties:

I protected the stream with some password an therefore the streaming server needs to find a special authentification cookie (spring security remember-me). But somehow the mobile browser doesn't send this cookie when it accesses the mp3-stream via the audio tag. When I enter the stream URL directly to the address bar everything works just fine.

While I searched for the lost cookie I found out, that the mobile browser still sends some cookies (e.g. the JSESSIONID) but not all. Further investigations (quick PoC with PHP) revealed that the mobile browsern seems to refuse to send cookies via the audio-tag which have the HttpOnly Flag set. So my question is:

Is this a specified behaviour, why are there differences between the mobile and the desktop versions (of Chrome) and is there a way control the behaviour from the client side?

Hie answered 30/4, 2013 at 23:27 Comment(0)

By looking more deeply into the HTTP packages I found out, that the Android browser doesn't request the mp3-stream itself, but delegates this to stagefright (some android multimedia client). A quick search revealed, that for the old Android versions (before 4.0) stagefright cannot handle cookies:

My own tests confirmed this. The old stagefright (Android 2.3.x) doesn't send any cookies at all, the stagefright from a european S3 (android 4.1.2, stagefright 1.2) sends only the the cookies which do NOT have the httpOnly flag.

So I think that everybody has to decide himself which solution he wants to use:

enable httpOnly: android has no access at all but its secure
disable httpOnly: less secure against XSS, but works for Android >4.0
disable cookie authentication at all: insecure but works for all

Note: The problem with simply disabling httpOnly is that you make your whole application vulnerable to cookie hijackers. Another possible solution would be to have a special rememberme cookie for the stream (without httpOnly) and another rememberme cookie with httpOnly enabled.

Hie answered 6/5, 2013 at 18:57 Comment(3)

This issue was reported to android: code.google.com/p/android/issues/detail?id=17553 though it has been marked closed as 'spam'. I may reopen the issue as I do not understand the 'spam' resolution. – Tush 3/4, 2014 at 18:18

Other issues to watch: code.google.com/p/android/issues/detail?id=66050, code.google.com/p/chromium/issues/detail?id=163796 – Tush 3/4, 2014 at 18:21

Probably same problem when embedding/streaming video using PHP and cookie/session authentication, see https://mcmap.net/q/1328188/-php-android-loses-session-and-cookie-information-when-using-embedded-video-player/1066234 – Pad 26/8, 2015 at 9:27

I had the same problem and disabling HttpOnly or Secure flags on cookies didn't solve the problem on Android 4.2 and 4.4 chrome browser.

Finally I figured the cause. I had a cookie with its value containing special characters colon ( : ) and pipe ( | ), etc. After disabling that cookie with special characters the videos play fine in Android 4.2 and 4.4.

Hope this helps someone.

Baggage answered 30/6, 2015 at 21:17 Comment(0)

Recommended topics

Hot tags