Safari 11 was recently released on Mac OSX. This update causes a problem with our web application in conjunction with XSRF in the header of our repeated request. I will try to describe the problem in a logical way. Here's what a good situation would look like:
When a user wants to log in, he receives a response from the server using Set-Cookie, which contains the value of the XSRF token. Eg: Set-Cookie: XSRF-TOKEN=LKNBX4DZhL708KjXNkgXnlxTDCNuhsZG1kTc2SFy498; Path=/; Secure
Page Refresh The next call to be made contains the correct XSRF value in the header. On the server side, the value is checked, etc. Each call from the external interface will contain an XSRF token.
If a user logs out and wants to log in again, his XSRF cookie will be overridden with a new value and will be able to log in with this token.
Our problem situation (with Safari 11 on Mac OSX, another browser does not show this behavior):
If the cookie does not exist, the user can enter the regular
However, if he wants to return to the system (after a previous session), an update occurs. At the first call, another update of the XSRF token in its call is not replaced by a new value, they still contain the old XSRF token from the previous session. When we check this request, we see that the cookies of this request contain the correct value, but the header reflects the old token.
, .
TL;DR; Safari 11 XSRF-TOKEN cookie . , , , Safar 11.
- ? Safari 11?
EDIT: , URL- Safari 11 . , , .
!