All geek questions in one place

Cookies are not stored in android API WebView API 21 and higher

Background

I experience very confusing behavior with android Webview in API 21 and above when testing on real devices .

I have a local HTML5 application (internal folder with resources) with the following functionality

  • Login (2-step authentication).
  • Display a list of items based on authentication.

Problem :

After completing login requests, the server returns a session cookie. This cookie is not saved in Webview when using real devices with API 21 or higher. If I use emulators (in this case Genymotion), the cookies will be saved correctly.

Additional information :

The auth request has the following headers:

 POST http://myServer/j_spring_security_check HTTP/1.1 Proxy-Connection: keep-alive Content-Length: 101 access-control-allow-origin: * accept: application/json access-control-allow-credentials: true User-Agent: Framework/1.5.0 (Linux; U; Android 6.0.1; Nexus 5X Build/MMB29Q) App/0.1.1 Origin: file:// content-type: application/x-www-form-urlencoded Accept-Language: en-US X-Requested-With: app.package Host: myServer

With the following answer:

 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4D169E8656DBEDFFA4D17FE8D436A5BA; Expires=Fri, 19-Feb-2016 14:27:55 GMT; Path=/; HttpOnly Content-Type: application/json;charset=UTF-8 Content-Length: 43 Date: Fri, 19 Feb 2016 14:17:55 GMT

A cookie is not stored on devices with API 21 or more. The same request / response works fine in other devices + all emulators

Explanation

  • These flags are included inside the application:

     android.webkit.CookieManager.setAcceptFileSchemeCookies(true);

(before the cookieManager or webview is instantiated, as the documentation says)

 if(VERSION.SDK_INT >= 21) { CookieManager.getInstance().setAcceptThirdPartyCookies(this.nativeWebView, true); }

  • If after authentication I get access to the cookie store and check hasCookies ", I get false .

  • The two-stage auth service actually calls 3 different paths from the same endpoints. None of the cookies that store the response that creates these services. I do not know how relevant or not.

  • With simple authentication (on another server), cookies are stored correctly in all device emulators.

  • I am using Angular 1.5

  • I know that the service uses http instead of https . This will be decided in the future.

  • I do not get an error in the consoles.

Questions:

Is there any internal security measure in webviews that blocks the storage of cookies? Why does this work on emulators (which are root devices) and not on real devices? It bothers me a lot.

+5
source share
1 answer

If a network request is made using window.fetch, you may need to add:

fetch ('/ something', {credentials: 'same-origin'}) // or 'include'

In chrome, window.fetch has a credential flag set by default to β€œomit” and no cookies are stored in the cookie store. Read more about this error here: https://bugs.chromium.org/p/chromium/issues/detail?id=477523

+1
source

Source: https://habr.com/ru/post/1243403/

More articles:


All Articles