[Webkit-unassigned] [Bug 255524] REGRESSION (Safari 16.4): Safari sometimes doesn't send cookies for assets requests and javascript fetch requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 7 06:04:45 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=255524

Noel Da Costa <appledeveloper at arc2.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |appledeveloper at arc2.co.uk

--- Comment #48 from Noel Da Costa <appledeveloper at arc2.co.uk> ---
I'm having this same behaviour. I have a docker env which is running so as to place the backend on https://be.mnr.localhost and the front-end on https://fe.mnr.localhost. 

This has been working for some time. In the last week or so it stopped working on Safari only. It still works fine on other browsers.

The issue seems to be that once the PHP session is successfully initiated, Safari is not passing that token in further requests, while other browsers are.

A bit of a hunt around seems to suggest this on StackOverflow:

```
It seems to occur when the samesite attribute of Cookie is set to "Lax" in Safari 16.4. If the samesite attribute is not set (not 'none') in my Rails Application, this problem will not occur, but it will occur if it is 'Lax'.
```

And in the headers on the response from Logging in successfully I can see:
```
Set-Cookie: PHPSESSID=9b2ad6e6db9da3c4a0e84f715cf32a3a; path=/; secure; HttpOnly; SameSite=Lax
```

However, I tried setting SameSite to `None` and `Secure` to true and now I get:
```
Set-Cookie: PHPSESSID=d083183b6e3cc1b9333348a700df4d9f; path=/; secure; HttpOnly; SameSite=None
```

However, it still does not pass the session cookie in further requests from the front-end.

Safari: Version 16.5 (18615.2.9.11.4)
MacOS: Ventura 13.4 (22F66)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230607/251a643d/attachment.htm>

More information about the webkit-unassigned mailing list