Cookie support

[joewoodhouse]

Hi there,

It seems a fairly well-known issue that cookies don't really work (by default) with a WKWebView. Basically Set-Cookie is ignored, and no cookies are ever sent with requests.

This seems to be the primary discussion on the topic I can find : http://stackoverflow.com/questions/26573137/can-i-set-the-cookies-to-be-used-by-a-wkwebview

It looks like in that post there is potential to add support for cookies into this plugin. The way the xhr polyfill hooks in seems to be similar to how you would manage cookies. But it's well beyond my skill-level to attempt a PR. Does that seem possible?

[jgw96]

Hello @joewoodhouse , what is your use case for using cookies over something like localStorage, indexeddb or any other form of web storage? Cookies are not really recommended to be used in cordova apps, especially since localStorage and indexeddb are so widely supported now.

[joewoodhouse]

Unfortunately my usecase isn't that exciting. I need to communicate with an API that does cookie based authentication i.e. i do a POST to a /login endpoint, it returns a 'Set-Cookie' header with some sort of token, and future requests are expected to have that 'Cookie' header set. Pretty common, if quite dated, practice I think.

The API is not public so I can't link you the docs sadly.

[neb636]

I have the exact same use case as @joewoodhouse. It is a private 3rd party api that needs to use 'Set-Cookie' header.

[danbucholtz]

@joewoodhouse, @neb636, typically session-based authentication is not the best for mobile "native" apps that are installed. Would you be able to use something like JWT or Basic auth instead? We'll take a look at this issue in the coming weeks. Thanks for letting us know.

Thanks, Dan

[sjdrew]

Also a show stopper for me. Eventually servers will be updated to handle another auth type, but currently like many others have run into this, cookies are still used in some mobile apps.

[danbucholtz]

Taking a step back from Ionic, I have never heard of anyone using session/cookie based auth for a mobile app before. Do the users have to log-in each time the app is used? Otherwise, how long is the session? Genuinely curious!

Thanks, Dan

[sjdrew]

After login a token is stored locally, and session is restarted. If session does expire it is restarted using the token, but in the meantime any cookies are passed back and forth and helps for things like images in templates where existing server code expected cookies to exist on the request.

The mobile app is making use of existing server api’s that worked with the browser and because ionic / web views just works great with cookies also it made the app development easier. Long term the server api’s are being re-written to handle things more appropriately for mobile, but in the mean time this worked great.  Or it did until we tried WKWebView.

If this is a rare occurrence, then no worries as we are already looking at changing the design, but there are others like this out there from what I have read.

[ozexpert]

PouchDB's auth works with cookie. https://github.com/nolanlawson/pouchdb-authentication#overview

Looks like I can't use it. Is there a way to enable it?

[makkart]

We depend on cookies for some stuff in our apps as well. If its not supported, thats a deal breaker.

[joewoodhouse]

@danbucholtz Sorry for the slow reply.

I totally agree, if you were starting out a new project there's no way a sensible developer would choose a session/cookie based authentication mechanism for a mobile application. However as I think you can see from the other comments, a lot of app development is companies with an existing set of web services saying "Hey, can we put a web app on this?".

My users don't have to log in each time, my (Ionic 1) app manages the cookies as a normal web page would.

[danbucholtz]

Understood. Thanks for clarifying. We'll see what we can do.

Thanks, Dan

[rammie]

+1 This post seems to have some potentially useful information: http://stackoverflow.com/a/26577303

[ozexpert]

any updates? my app is not working with uiwebview somehow, but with this plugin it works.. just the cookie support is missing

[dario-colombo]

+1

[joewoodhouse]

I'm no expert but I'm 99.99% sure that code commit is nothing to do with this issue (possibly a typo) and the issue should be re-opened? @danbucholtz

[longzheng]

+1 cookie issue is not fixed

[joewoodhouse]

Please can this issue be re-opened, as stated above I think this has been closed in error.

[agarcia17]

this helped me

const xhr = new XMLHttpRequest(); xhr.withCredentials = true;

[joewoodhouse]

OK 8th time lucky - can this issue be re-opened, else I'll just raise a new one? As I said before, this appears to have been closed erroneously, and as far as I'm aware cookies are still not supported? @manucorporat @danbucholtz @jgw96

[jroets]

We have run into this issue too. It is blocking us from moving to WkWebView. We use services that utilize cookies for auth. We do not have the power to change the services to something else, like token-based auth. They use the HttpOnly flag if that matters. Would love to see this issue re-opened and addressed.

We do not have this problem with UIWebView.

[agarcia17]

It's semi-working on my end. The only issue I'm having is that on first boot (first time installation or update) of the application the 'Set-Cookie' is ignored just like you mentioned; but if the application is forced quit and started up again, everything works good from there on

[dackom]

+1 for this. I agree that authorization header is newer and better for this sort of things, but nobody mentioned web socket. I have case where I need to connect to web socket. Cookies are automatically sent with connection handshake for web socket, authorization works by itself. And even worse, there is no way to send authorization header with websocket. You can emit message on connection, sending auth token, but it complicates things on backend.

[sjdrew]

Using current version (cordova-plugin-wkwebview-engine 1.1.3-dev ) cookies appear to be working great. In fact everything I have testing in my app is working well with wkwebview. Including pouchdb.

However, one issue: when running under the simulator, cookies do not work.

Would be great to solve this last issue. Any ideas?

[patrickbussmann]

Will be great if cookies enabled :+1: It's a browser so it should support it. But yes... OAuth2 in apps is really great :+1: But some things needs cookies.

[NiklasMerz]

Are cookies currently supported? I am having trouble with my authentication requests. Possibly "HTTP only" are not working?

[danielehrhardt]

Same Question here

[troyanskiy]

I have the same problem with Set-Cookies. When you start the app first time it does not work, but after kill and restart works fine.

[landabaso]

In order to use cookies there's this plugin:

https://github.com/aporat/cordova-plugin-fetch

It's a native implementation of the fetch specification that returns the "Set-Cookie" header.

In addition, using that plugin, no CORS configuration is needed on the server.

The plugin let's you get the "Set-Cookie" header so that you can keep cross-domain cookies in localStorage (for example). Also, you can add back the cookies in further requests by setting the "Cookie" header.

You'll need to write your own "Set-Cookie" parser and also be sure to only send back the cookies that have not expired and match the domain and path of the requested url.

[ck88ger]

@agarcia17

Did your solution helped you ? const xhr = new XMLHttpRequest(); xhr.withCredentials = true;

or do you have still this problem what you telled us that works only fine if you restart the app after fresh new installation.

[landabaso]

@Cagdas88, AFAIK, you'll always have the issue on clean installations. Based on my observations, wkwebview will only sets the cookies on Sites that have been previously visited (similarly as Safari with iframes). That's the reason it works on restart.

I suggest using https://github.com/aporat/cordova-plugin-fetch as mentioned above.

[ck88ger]

@landabaso

I cant concat to my http rest calls in the app to cordovaFetch. My IDE found no cordovaFetch statements after i adding this plugin in my project.

The docs on cordova-fetch-plugin are really short.... How you did this at the end?

[landabaso]

I'm not sure I understood you. In case it helps, you might need to wait until de deviceready event is triggered.

[ck88ger]

@landabaso

my IDE says cordovaFetch is a unresolved function or method. Should i import them or anything else before i can use them? i already install this npm packages into my app.

Can you give me a hint and show me how you did implemented in your code?

[troyanskiy]

@Cagdas88 Cordova plugins should be installed with Cordova CLI or Ionic CLI (which uses cordova CLI). I think don't understand how the hybrid apps works and there's architecture. Please read more theory and docs about that hybrid apps, plugins native etc.

[ck88ger]

i installed it with

cordova plugin add https://github.com/aporat/cordova-plugin-fetch.git

and ionic cordova plugin add https://github.com/aporat/cordova-plugin-fetch.git

Is this wrong or what?

[troyanskiy]

If you are using Ionic the just only second installation should be used. Than its normal that ide does know anything about that fetch plugin because you don't have ts/Ionic wrapper. Just declare it as any before use.

[ck88ger]

Ok but its not normal that my ide does know anything about that plugin. everything works fine before with other packages ....

i cant ignore that because ionic will not build with that if i use cordovaFetch. ....

Is there any differences between only fetch() and cordovaFetch()?

[Bessonov]

@landabaso

It's a native implementation of the fetch specification that returns the "Set-Cookie" header.

But if you can retrieve httpOnly cookies with javascript, wouldn't that be a security issue?

[ck88ger]

@landabaso

i think this says everything:

cordova-plugin-fetch THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION!

this is no option for me

[BorntraegerMarc]

I'm also using HTTPOnly cookies for authentication (session based) in my mobile & FE app. It was a better fit for us than tokens. I need to set the HTTPOnly cookie manually now because this issue is not resolved.