Login/Register
HTML5 video/audio player on mobile Safari (iOS 7 & iOS 10) excludes cookies
Asked Answered
htmlcookiesios7mobile-safariios10
C

9

15

I have noticed that the HTML5 video/audio player (AppleCoreMedia) on mobile Safari on iOS 7 excludes all cookies, even first-party cookies. Not even sessions cookies are included in the HTTP-header. This makes it impossible to relay on cookie authorization when playing a video clip in mobile Safari on iOS 7.

All cookies are included correctly running iOS 6 but on iOS 7 no cookies are included in the HTTP-header of AppleCoreMedia.

Can some one else confirm this issue on iOS 7?

Steps to reproduce is:

  1. Create a cookie on a web page.
  2. Play a HTML5 video clip on the same web page using mobile Safari in iOS 7.
  3. Check the server logs for AppleCoreMedia and look for the cookie.

Update 2016-09-20: The video player in iOS 10 (AppleCoreMedia) is not able to read session cookies. Only cookies set with an expire date is readable by the video player.

Chondrite answered 6/10, 2013 at 23:20 Comment(6)
This question appears to be off-topic because it is an iOS bug report, not a programming problem.Peep
Customer with 7.0.3 had the problem. And now with 7.0.4 continues with the problem.Soprano
Still seeing this issue in 7.0.4. Is there a public issue for this that I could comment on/track?Erwinery
@JordanEldredge I have submitted to Apple and to OpenRadar (not my proudest moment in bug reporting but...): openradar.appspot.com/radar?id=5238098090786816Engen
This issue seems to be back in iOS10 :-(Sazerac
Yeah, we are also seeing this. Our 10.0 and 10.1 users have problems with streaming certain resources, while it works great on 9.3 and 10.2. We can reproduce the streaming problems on 10.0 and 10.1, but the strange thing is that it works occasionally, like 5% of the times we attempt to stream. And most resources stream perfectly well.Aviary
F
12

For iOS10, if you respond with a 403 forbidden, AppleCoreMedia will somehow try again but this time with the missing cookies. If you have code that redirects to login page when the session cookie is missing, video will not work on iOS 10.

Ferrara answered 13/10, 2016 at 8:0 Comment(3)
This fixed iOS bug. Yet I am very interested to understand why iOS has implemented this feature. It clearly is not a bug. They do that on purpose! But why?Checkerboard
Apple seems to have fixed it in iOS 10.2Ferrara
On the second request, the cookies are stilling missing for me. On latest version of PS4 default browser (seems to have same issue). AppleWebKit/605.1.15 (KHTML, like Gecko) libhttp/6.20 (PlayStation 4)Boswell
C
3

I have developed a simple test where you can check if your iOS device have this bug.

Read more about the test here!

Chondrite answered 5/11, 2013 at 10:17 Comment(0)
C
3

The bug continues to exists in iOS 7.1

Obviously Apple is ignoring this bug and I can not understand why since it affects so many users.

I have been running some tests on a iOS 7.1 device that had this problem and it is pretty clear that the bug is related to the private browsing feature. Turning private browsing on and then off fixes the problem on the device.

Chondrite answered 11/3, 2014 at 13:10 Comment(0)
E
2

I'm still seeing problems with iOS 7.0.4, unfortunately. Is the below consistent with what you're seeing or is this perhaps another type of issue?

My test server is running Moodle on Apache and one user can consistently replicate this with two iPads on iOS 7.0.4. The HTTP 407s in the logs below is a Moodle thing. As you can see the cookie is not sent with the range requests:

access_log:

xxx.yyy.zzz.227 - - [22/Nov/2013:23:11:18 +0000] "GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1" 200 3711807 "http://xyz.bitnamiapp.com/mod/videofile/view.php?id=2" "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53"
xxx.yyy.zzz.227 - - [22/Nov/2013:23:11:19 +0000] "GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1" 407 12818 "-" "AppleCoreMedia/1.0.0.11B554a (iPad; U; CPU OS 7_0_4 like Mac OS X; en_us)"
...

forensic_log:

+Uo-kj38AAAEAAH0O5MEAAAAJ|GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1|Host:xyz.bitnamiapp.com|Referer:http%3a//xyz.bitnamiapp.com/mod/videofile/view.php?id=2|Accept-Encoding:gzip, deflate|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-us|Cookie:MoodleSession=24gkspshgl8027k3l7p2cor631|Connection:keep-alive|DNT:1|User-Agent:Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
+Uo-kkH8AAAEAAB2cL4IAAAAA|GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1|Host:xyz.bitnamiapp.com|Range:bytes=0-1|X-Playback-Session-Id:DF1039A4-571B-4EB8-BFFB-EF07CD730CA2|Accept-Encoding:identity|Accept:*/*|Accept-Language:en-us|Connection:keep-alive|User-Agent:AppleCoreMedia/1.0.0.11B554a (iPad; U; CPU OS 7_0_4 like Mac OS X; en_us)
-Uo-kj38AAAEAAH0O5MEAAAAJ
-Uo-kkH8AAAEAAB2cL4IAAAAA
...
Engen answered 23/11, 2013 at 7:2 Comment(8)
You are correct! It seems like this bug still exists for a lot of users running iOS 7.0.4Chondrite
Correct me if I'm wrong. What I see there is a second request without a moodle cookie needed to see the video.Soprano
@Soprano Some guesswork here but I think the first request might be for the browser to pick up the media file header or similar. The logs say 3711807 bytes but I'm pretty sure it doesn't read all of it. The second request with the missing cookie seem to be from the iOS video player. Since the cookie isn't set, Moodle replies with 407 in order to try to stop more incoming range requests instead of loading parts of the login page a hundred times. Is that what you mean or am I perhaps drawing the wrong conclusion somewhere?Engen
I have news from my site: AppleCoreMedia doesn't send the cookies. But one of my mates found that turning the iPad safari into private mode, and then back to normal, fixed it for him. Go figure.Soprano
@Soprano That sounds great! I'll write back when I know if it worked or not. Thanks!Engen
@Soprano Yes, it actually seem to work! Great detective work : )Engen
It works for you too? Good news! Anyone else having the same good results?Soprano
If so, then it should be easy for Apple to fix the bug. Ask your friends and colleagues to run my tests on bizify.me/test-if-your-ios-device-is-broken and if they can not play the video correctly, ask them to switch the "private mode" back and forth.Chondrite
D
1

Using iOS 7.0.2, I am seeing cookies included in the request. Here's my user agent header:

User-Agent: AppleCoreMedia/1.0.0.11A501 (iPad; U; CPU OS 7_0_2 like Mac OS X; en_us)
Dichroite answered 8/10, 2013 at 21:46 Comment(7)
Thank you very much Shawn for confirming this bug is fixed in for AppleCoreMedia/1.0.0.11A501, the video player included with iOS 7.0.2Chondrite
I know for sure that this bug exists for AppleCoreMedia/1.0.0.11A465, the video player included with iOS 7.0.0 but I do not know if the bug is fixed in iOS 7.0.1Chondrite
I've now got a few friends with iOS 7.0.2 to visit a web page I set up to investigate this bug and I see clearly that the cookies do not work in AppleCoreMedia/1.0.0.11A501 if the visitor is using Safari. So I am a little puzzled that you Shawn writes that cookies work in AppleCoreMedia/1.0.0.11A501. But I have also discovered that cookies works well in AppleCoreMedia/1.0.0.11A501 if the user visits the website via uiwebview (for example via the Facebook app). Maybe this problem is related to the Nitro engine in Safari? The Nitro engine is not used in uiwebview.Chondrite
Kalle, I tested with Safari, not a webview. My test was different in one respect, however: I used an HTML5 audio stream, not video. It shouldn't matter, but it might be worth checking. If that doesn't explain it, would you post your test page so I can try it?Dichroite
we are experiencing no cookies in 7.0.3, but 7.0.2 seems to work. not sure if this is a bug or security issue. we have had to resort to a patch of altering the URL to pass in session information which is something we really don't like doing, but we validate the media url from the session so we had to figure out some workaroundBurstone
@Burstone I can't reproduce it myself but in the web server logs (mod_forensics), I see iOS7.0.3 video requests without cookies. I'm also seeing it with iOS6.1.3 so maybe I'm up against a completely different problem. Did you ever figure out anything on why sometimes cookies are included and sometimes not? The weird thing is that one user can reproduce this bug (?) with all his iOS devices and I can't reproduce it with any of mine.Engen
Jason, I fully agree with what you write. It is really weird that for some users cookies works without problem regardless what iOS version the user is running and for other users cookies does not work at all. There is no common denominator, which makes it extremely difficult to debug. It is only Apple them self that can debug this issue. I've filed a bug report but it is doubtful whether it has even caught the attention of Apple and I do not know how to make Apple aware of this serious problem. It breaks a lot of sites that relies on cookie authentication for their video and audio clips.Chondrite
C
1

This problem is not yet fixed by Apple. We are continuously receiving reports from our users running iOS 7.0.6 that they are not able to play video clips because no cookies are included in the header.

And for many users, turning safari into private mode, and then back to normal, does not fix the problem.

I have also noted that Dropbox wrote in their blog that they have reverted back to url token authenticating because of problems of these kind with video players.

Apple is continuously ignoring our bug report so this bug will probably not be fixed for a long time.

Chondrite answered 6/3, 2014 at 9:19 Comment(0)
S
1

I'm hearing on the grapevine that iOS 10.2 will contain a fix for this problem

Sazerac answered 9/11, 2016 at 15:49 Comment(3)
I hope you're grapevine is right! I see [en.wikipedia.org/wiki/IOS_version_history](10.2 Beta 3) is available, but there's no list of bug fixes in the notes. How long does it usually take between a Beta and stable release?Gwenngwenneth
EDIT: I heard from someone with a friend at Apple who said the stable iOS 10.2 version is due mid-December 2016.Gwenngwenneth
Nope no fix yet. Still having this problem.Whortleberry
T
1

I had the similar issue with Safari. I was using <audio> tag inside the html loaded by jquery. Safari did not include cookies in the request for the audio source, therefore it did not load properly. But somehow it worked after I refreshed the page with CTRL+F5 - it sent cookies with this total reload...

I solved it by adding crossorigin="use-credentials"... Nasty problem.

Tinct answered 19/11, 2019 at 10:38 Comment(0)
R
0

I had similar problems with cookies on iOS 7.0.3, but they are fixed now with iOS 7.0.4. Let's hope it stays this way.

Reassure answered 14/11, 2013 at 21:54 Comment(4)
Yes, it looks like this bug is now fixed in iOS 7.0.4 :)Chondrite
I'm still seeing the problem with iOS 7.0.4 (see my "answer" containing the logs).Engen
Yepp. I was wrong. The bug still exists in iOS 7.0.4 for a lot of users.Chondrite
Confirmed, bug exists for some 7.0.4 customersSoprano

© 2022 - 2024 — McMap. All rights reserved.