iPhone "Bookmark to Homescreen" removes cookies and session?

Asked 28/9, 2010 at 14:6 Answered 20/11, 2016 at 17:42

iphone web-applications mobile-safari iphone-standalone-web-app

Right now I am developing a Web-based Application, where the User has to login first.

When I open the Page by iPhone Safari, login and restart Safari, I am still logged in (Cookie & Session ID still set).

But when I add this Page with "Add to Home Screen", each Time i click the Icon for that page, I have to login again.

I did not find any information about that. What can I do so my users can set this page to their home screen as icon and still don't have to login each time they open it?

Judas answered 28/9, 2010 at 14:6 Comment(0)

A really simple approach could be to use a unique token in your Bookmark-URL which can serve you as a unique device identifier.

Example: http://myWebApp.com/?token=randomId29238/1

The token can be generated at the server side at opening time of the application in Mobile Safari and before the user is prompted with the "Add to Home Screen" information. The token can then be added to the URL using a quick redirect (…&token=randomToken) or a location hash (…#randomToken).

Whenever the Bookmark is now opened from the Home Screen, the token is sent to your server and you can identify the user's active session. You may also use the token as a permanent session id, but I advise against that because of security concerns.

To allow future logout and login procedures, you can always assign the new sessions to the token.

The token will serve you as a unique device identifier whenever the user will re-open your link from his Home Screen.

Kronick answered 31/12, 2011 at 16:29 Comment(1)

I think I may have discovered a strategy that is easier and more elegant, but I haven't been able to test it under iOS versions earlier than 6.0. I've posted an answer below that shows how. – Ostrogoth 30/1, 2013 at 1:0

There is an easier and, imo, more elegant solution than favo's.

At least under iOS 4.2.1, 5.1.1, 6.0 and 6.1 (I couldn't test other versions), if you extend the lifetime of your session cookie manually, Safari will hold on to the session cookie and even allow sharing of the session between the 'home screen installed' version of your web app and normal visits through Safari itself.

The trick is to do this:

// Start or resume session
session_start(); 

// Extend cookie life time by an amount of your liking
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);

For a more elaborate discussion of this strategy you can take a look at my answer of this question:

Maintain PHP Session in web app on iPhone

Ostrogoth answered 30/1, 2013 at 0:59 Comment(3)

Just tried this on a problem I was having, nice little trick Wilbo, saved me a lot of time and effort. – Cardew 14/2, 2013 at 18:28

I can't get this working on iOS7, as far as I can tell, no cookies are persisted even when explicitly setting the cookie time out – Iffy 7/5, 2014 at 11:38

Hi Kyle, just tested this under iOS 7.1.1 and it works fine for me (session restored successfully after rebooting device). Are you certain the session ID actually changes? This solution doesn't magically store the content the user is looking at, it just retains the session cookie so your server can recognize the same session later. But it's still up to your server to remember where the user was in that session, and then serve that content when he returns to your web app. – Ostrogoth 7/5, 2014 at 11:52

I am going to expand a little further on Waldo Baggins' answer.

When I ran into this, I discovered the reason this was happening is that session cookies set on the server usually do not have an expiration value set. The default behavior in this case is for the browser to discard the cookie when the browser is closed / re-opened. Since the browser does not resend the cookie on re-opening, the server has no way of identifying the session, even if it hasn't expired on the server yet, and thus, your user is redirected back to the login page.

When the user is using your site in web app mode (icon added to home screen), iOS treats navigating to / from the app the same way a desktop computer would treat closing and reopening the browser, and loses the session when reopened.

So following Wilbo's suggestion and setting an expiration time for the cookie, iOS checks if the cookie has expired when the user navigates back to your app, and if it hasn't, re-sends the cookie, thus maintaining the session. The value of 1 year in Wilbo's answer is ridiculously long, you would typically want to set this to something like 8 or 24 hours, and ideally sync it with the session expiry timeout value you have set on the server.

Note that as a side effect, when your site is accessed from a desktop browser, and the user closes and re-opens the browser, the session would continue to persist and the user will still be logged in, which wouldn't have been the case previously (unless they were browsing privately). Your "Logout" feature would have to properly handle expiring this cookie.

For a Java webapp using web.xml version 3.0 or higher, the easiest way to do this is to modify <session-config> as follows:

<session-config>
    <session-timeout>600</session-timeout> <!-- In minutes -->
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
        <max-age>36000</max-age> <!-- In seconds -->
    </cookie-config>
</session-config>

Inroad answered 20/11, 2016 at 17:42 Comment(0)

There are persistent key-value storage and database storage available for web apps. You can save your authentication data using localStorage object and use XMLHttpRequest to send it to the server. Another option is saving your persistent data in a SQLite database, however this doesn’t seem to be a proper solution in your case. Check out Apple’s Client-Side Storage and Offline Applications Programming Guide for details/examples.

Lorie answered 4/10, 2010 at 12:31 Comment(7)

:) quiet complicated just to get the same result as safari browser. Do you have any simple example. Just to save the actual COOKIES, so when i restart the user for example dont have to login again. – Judas 4/10, 2010 at 14:59

If you want to stick with cookies, @Kronick answer will be a better choice because: i. cookies are append into http header in real world, append it to URL having similar effect ii. user cannot change URL if your homescreen app (web clip) is running under "standalone mode". One last thing: If you care security, you may use localStorage to stimulate 2-ways authentication. – Ague 4/1, 2012 at 15:37

I tried this. It does not work using "bookmark to homescreen". I can't find any written proof, but from all my testing it clears both cookies AND localStorage each time you open it. – Antonioantonius 9/5, 2012 at 8:55

Apple's example code works fine for me bookmarked to the home screen – Lorie 12/5, 2012 at 6:45

I like the localstorage option for my app. I can confirm at least in iOS7 that localstorage does persist in a bookmarked web app. We are using Redis on the backend and checking login from a cookie. We just store this sid in localstorage now and pass it in the url query. The server looks for cookie and url parameter and uses whichever is available. Just dont forget to clear localstorage when the user logs out! – Biotite 26/2, 2014 at 20:18

New link for Apple's guide is: developer.apple.com/library/content/documentation/iPhone/… – Bayless 29/3, 2018 at 16:44

@Lorie is this still applicable for iOS 12? – Vouvray 23/11, 2018 at 16:43

Recommended topics

Hot tags