bug: first party http cookie deleted after period of time (iOS/Android)

[matthiastz]

Bug Report

Capacitor Version

  @capacitor/cli: 3.5.1
  @capacitor/core: 3.5.1
  @capacitor/android: 3.5.1
  @capacitor/ios: 3.5.1

Platform(s)

native Apps on iOS, Android

Current Behavior

• process: Our users that do not already have a session (cookie), login in into the App or do SSO (auth)
• bug:
  • when users who were already logged in into the native App (e.g. iOS) do not use (open) the App for a period of time they are automatically logged out when re-opening the app after the period of time (before that they were successfully logged in)
  • I debugged the cookies that were transmitted on the first start of the App after period of time (e.g. 2, 3 or 4 weeks) and the client did sent 0 (!) Cookies -> thus I suspect some process (Capacitor itself? ITP?) wiping the complete cookie storage of the App

Expected Behavior

Already logged in users should not loose their session (Cookie) automatically, but stay logged in. Cookie storage never should get deleted.

Code Reproduction

Can not share any code, since these are private company repos. But I can describe some basic setup: we have lots of JS/TS code, that handle our views. Capacitor is used to wrap this and deploy a native iOS and Android App for the users.

Our main backend that is used by the App handles authentication and authorization (and other parts), we setup the main domain for the server.hostname config in capacitor.config.json, e.g. when the backend runs at https://some.domain.com we set server.hostname to domain.com (relevant: https://github.com/ionic-team/capacitor/issues/1373#issuecomment-707822708)

Other Technical Details

npm --version output:

node --version output:

pod --version output (iOS issues only): 1.11.3

Additional Context

• we experience these issues (with up and down phases) since Nov. 2021
• since February 2022 these issues happen quite often again
• our main backend API is always first party domain
• we only create secure, http-only Cookies at the backend // so this topic is not about scriptable document.cookies
  • some cookies are created for domain some.domain.com and others for domain.com
• relevant issues: https://github.com/ionic-team/capacitor/issues/1373

Hints for possible causes for this issue

• we only have this issue for our native (not web) Apps and with (session) Cookies
• the time period of time part is very interesting, because the cookie deletion / logouts only happen, when the user had some longer period of inactivity. I know that ITP has different rules to delete web relevant data after different period of times (7 day rule to delete script writable storage, 30 days for all website data)

Thx already for any info and help! 🙂

[matthiastz]

@thomasvidas any idea how this could happen? 🤔

[d00ML0rDz]

We've been seeing the same behaviour on the iOS version of our app, where our auth cookies seem to get removed after about a week of not opening the app on an iOS device.

Don't suppose you've found any work arounds for this @matthiastz?

[jjang16]

We're seeing the similar cookie-dropping behavior in our ios app. The cookie dropping behavior is flaky. It happens only on some ios devices. I'm guessing this issue might be related to ios privacy / tracking constraints..... or not. :(