Login not persisting between sessions in Safari

[Roosader]

Problem description

Every time I relaunch Construct 3 on my iPad, whether from Safari or from a homescreen icon, my login info is not saved. I can login and then go offline for a single session, but I have to log back in every time.

Attach a .c3p

This is related to the editor and is not based in a project.

Steps to reproduce

1.Log in to the editor in iOS (browser or homescreen link) 2.Close editor 3.reopen editor

Observed result

Once the editor is reopened, I am once again running it as a guest.

Expected result

Stay logged in every session

More details

This only happens from my iPad. Everything works as normal in browsers I have tried on Windows, Linux, and Android.

Affects Chrome, Firefox, and Safari on iPad.

Thank you for reading. I really love Construct, and really want to use it a lot.

System details

View details

Platform information Browser: Safari Browser version: 13.0.1 Browser engine: WebKit Browser architecture: (unknown) Context: webapp Operating system: iOS Operating system version: 13.1 Operating system architecture: (unknown) Device type: mobile Device pixel ratio: 2 Logical CPU cores: (unavailable, defaulting to 2) Approx. device memory: (unavailable) User agent: Mozilla/5.0 (iPad; CPU OS 13_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1 C3 release: r164.3 (stable) Language setting: en-US Local storage Storage quota (approx): (status unavailable) Storage usage (approx): (status unavailable) Persistant storage: (status unavailable) Browser support notes This list contains missing features that are not required, but could improve performance or user experience if supported. Rendering multiple on-screen Layout Views is slow in Safari due to bug 177132 CSS containment is not supported. Editor performance may be significantly degraded. The

element is not supported. A polyfill is in use. The Clipboard API is not supported. Some clipboard features may be unavailable. Web Animations are not supported. Animations are disabled. WebGL 2+ is not supported. Rendering quality and features may be affected. ImageBitmap is not supported. Texture loading performance may be degraded. Idle callbacks are not supported. Background loading performance may be degraded. Determining input device capabilities is not supported. Persistent storage is not available. Local storage could be deleted by the browser. Storage quota estimate is unavailable. WebGL information Version string: WebGL 1.0 Numeric version: 1 Supports NPOT textures: partial Supports GPU profiling: no Supports highp precision: yes Vendor: Apple Inc. Renderer: Apple GPU Major performance caveat: no Maximum texture size: 4096 Point size range: 1 to 511 Extensions: EXT_blend_minmax EXT_sRGB OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_standard_derivatives EXT_shader_texture_lod EXT_texture_filter_anisotropic OES_vertex_array_object OES_element_index_uint WEBGL_lose_context WEBKIT_WEBGL_compressed_texture_pvrtc WEBGL_depth_texture ANGLE_instanced_arrays WEBGL_debug_renderer_info Audio information System sample rate: 44100 Hz Output channels: 0 Output interpretation: speakers Supported decode formats: MPEG-4 AAC (audio/mp4; codecs=mp4a.40.5) MP3 (audio/mpeg) FLAC (audio/flac) PCM WAV (audio/wav; codecs=1) Supported encode formats: (encoding not supported) Video information Supported decode formats: H.265 (video/mp4; codecs=hev1.1.2.L93.B0) H.264 (video/mp4; codecs=avc1.42E01E) Supported encode formats: (encoding not supported)

[AshleyScirra]

I would guess some new aggressive Safari privacy feature is breaking this and clearing storage. I think it will take some research to figure out what's changed and how to work around it.

[AshleyScirra]

You can work around this by turning off "Prevent cross-site tracking" in Safari's preferences. It looks like Safari has overzealous tracking blocking that breaks the login remembering its state.

[AshleyScirra]

References: MDN on Storage Access API: https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API (my reading of this suggests it won't necessarily solve the problem, especially since the login frame is not directly visited in a top-level context) WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=202640 - I filed this since I believe typing in your password on a frame ought to signal sufficient interest in the frame to qualify it for storage access, and not be blocked as cross-site tracking. We'll see what (if anything...) Apple say.

[shortercode]

I've been doing some additional reading around this, and we might be able to persist the login for a limited duration by using the Storage Access API, but it will likely prompt the users for permission...

Note that while the linked article specifically states:

WebKit’s implementation of the API only covers cookies for now. It does not affect the partitioning of other storage forms such as IndexedDB or LocalStorage.

The article is from 2018, and the notes on ITP 2.3 ( released with Safari 13 ) states:

Put differently, ITP 2.3 caps the lifetime of all script-writeable website data[...]

While they are not specifically talking about cross domain storage there it's safe to say they have implemented the same restrictions for cross site storage, as per our own testing.

[Roosader]

That seems to work in Safari itself, though when installed as a PWA, it still doesn't work right. I'm guessing that's out of your control, as iOS has really poor PWA support.

[AshleyScirra]

There are two separate other bugs involving storage when installing to home screen on iOS: "Add to homescreen" apps don't share storage with Safari and Cross-origin storage in "Add to home screen" apps always lost. I don't think there's anything we can do to work around those - Apple needs to address them. To avoid confusing the issue at hand here, we will only be looking in to specifically ensuring Construct logins in the Safari browser are remembered between reloads.

You can also just use Chrome... 😛 Obviously we want to support browsers as best we can wherever possible, but Safari certainly is the browser we struggle most with for developing C3 - it has plenty of quirks, bugs and limitations.

[Roosader]

I'm not saying you folks should up and do this, as I understand that usage on mobile is not a huge priority, and the native app on desktop is the only browser-free version that there is, but would it at all be possible to essentially wrap the program and publish it in Mobile markets. I'm not a developer myself, so I wouldn't be able to gauge the feasibility of that myself. I just know PWAs are handicapped to an extreme degree on iOS and Apple has become somewhat more lax on apps that involve scripting on the App Store in recent years. C3 on iOS is still usable, but as soon as you preview something in another window, everything reloads and you are logged out. I would asse the only remaining snag is that you'd still be stuck with WebKit, thus likely rendering this a pointless endeavor.

[Roosader]

Is it a Safari issue rather than a general WebKit issue? I'm fine with not using Safari, but I have similar issues in Firefox and Chrome. Probably should have said that before. Sorry.

[AshleyScirra]

Please note that on iOS, Apple have banned all other browser engines, so you can only use Safari. Chrome, Firefox etc. for iOS are just skins over Safari. I could reproduce the issue in Safari on macOS as well, so having said that, I suppose my recommendation to use Chrome only applies to macOS. On iOS I would guess the only workaround is to change the Safari setting.

[AshleyScirra]

I just found this still reproduces in Safari on iOS 12.4. So it's not new to Safari 13 - I guess it's actually been happening for several months and nobody noticed until now...

[AshleyScirra]

I've got some speculative changes which involve a server-side change and a minor editor update scheduled for the next stable release (didn't make r170.2, will have to ship with actual stable release). It's difficult to test locally due to the origin and security restrictions involved, so I guess we will see then how it works out.

[Roosader]

Thank you very much! Will be sure to report back. :)

[AshleyScirra]

r171 is out but we need to make a server-side change before we can fully test this, so we will need to wait a little longer before confirming.

[AshleyScirra]

The server-side change didn't help. It looks like Safari simply completely blocks the account frame from using any storage at all on startup, which prevents it remembering the login state.

I can't think of anything else we can do. I think Apple will have to make a change to Safari to support this. In the meantime the only workaround is to either turn off "Prevent cross-site tracking" in Safari preferences (which affects all your browsing), or put up with having to log in again every time.