[Webkit-unassigned] [Bug 237350] New: Web App Added to Home Screen Cookies Deleted After 7 Days

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 1 17:48:49 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=237350

            Bug ID: 237350
           Summary: Web App Added to Home Screen Cookies Deleted After 7
                    Days
           Product: WebKit
           Version: Safari 15
          Hardware: iPhone / iPad
                OS: iOS 15
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Website Storage
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ben at ribbongang.com.au
                CC: sihui_liu at apple.com

We have a PWA using a Service Worker, Application Cache and IndexedDB to provide offline functionality to our users. Our users are from a medium-size enterprise and they all have the app installed to Home. We have set the authentication cookie to expire after 28 days. It is set as Secure and Same-site: Strict. Our app display mode in the manifest is set to 'standalone'. This is an internal specialist app so some users may not have cause to access it regularly hence the longer expiry.

We deployed this app only a few months ago but we've recently had reports that the users are being asked to login again after only 7 days. We were able to confirm this on our iPhone 7 with iOS 15.3.

We're aware of the restrictions of 7 days on script writable storage for a web site opened in Safari but our users install the app to the Home screen. In our testing we opened our app 4 days out of 7 to check whether or not our user was still logged in and yet it still logged us out after only 7 days. The only thing we perhaps didn't do was tap around in the app when we opened it to check the login status. The app users would normally be completing activities in the app that would cause them to tap buttons etc. However we would expect that opening the app would mean that the counter should be reset to 0. Or is it that the user must actually interact with the app by tapping a button or completing an input field to count as a interaction?

Could you please also clarify for us, if the user doesn't use the installed app at all, i.e. they don't open it at all, for a period of 7 days will their app storage (IndexedDb, cookies etc.) be automatically deleted? Or should the data be safe based on this line "We do not expect the first-party in such a web application to have its website data deleted." from https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/  ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220302/e93c9b35/attachment.htm>

More information about the webkit-unassigned mailing list