Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-10728

Set-Cookie is ignored in WKWebViewEngine

    XMLWordPrintableJSON

    Details

      Description

      I'm trying to upgrade a cordova-ios 4.0.1 app, fully functioning with the old UIWebView, to use cordova-plugin-wkwebview-engine 1.0.2.

      The app does AJAX calls via jQuery, something like this:

      $.ajax({
      	crossDomain: true,
      	xhrFields: {withCredentials: true},
      	url: 'https://server.com/login',
      	foo: "bar"
      });
      

      After login, the server returns a set-cookie with an authorization token. This cookie is not included in subsequent requests when using WKWebView. It's simply ignored. I've tried multiple CORS configurations on the server, as liberal as possible, with no luck.

      Here are the 3 key requests (I'm omitting unrelated headers like Accept, User-Agent:

      Pre-flight OPTIONS
      The webview sends an OPTIONS to the login URL with the headers

      • Origin: null
      • Access-Control-Request-Method: POST
      • Access-Control-Request-Headers: accept, origin, content-type

      The server responds with 200 OK and the headers

      • Access-Control-Allow-Origin: null
      • Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
      • Access-Control-Allow-Headers: accept, origin, content-type
      • Access-Control-Allow-Credentials: true

      Login POST
      Now the webview sends the actual login request, with the header

      • Origin: null

      The server responds with 200 OK and the headers

      • Access-Control-Allow-Origin: null
      • Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
      • Access-Control-Allow-Headers: accept, origin, content-type
      • Access-Control-Allow-Credentials: true
      • Set-Cookie: token=abc123; path=/; expires=Fri, 29-Apr-2017 12:49:06 GMT; HttpOnly

      Authorized GET
      After login the application believes it's logged in, and tries to access a restricted resource. However the only headers sent are Accept, User-Agent and Origin. No Cookie.


      Google returns vaguely similar issues around WKWebView and cookies, some of them from the Telerik plugin, but I see no concrete evidence that anyone has gotten this kind of auth flow to work. Even though it does in UIWebView. Is it simply not supported? Am I missing some obscure CORS detail? Either way, maybe it should be documented somewhere.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                iggy_fisk Sverre W
              • Votes:
                4 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: