[Webkit-unassigned] [Bug 276313] New: Safari is ignoring the session cookie for localhost sites
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 8 06:15:27 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=276313
Bug ID: 276313
Summary: Safari is ignoring the session cookie for localhost
sites
Product: WebKit
Version: Safari 17
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
Assignee: webkit-unassigned at lists.webkit.org
Reporter: appledeveloper at arc2.co.uk
CC: beidson at apple.com
Created attachment 471839
--> https://bugs.webkit.org/attachment.cgi?id=471839&action=review
Login request where credentials are passed and session cookie is returned but the route guard request doesn't have the cookie to send, and so the response from the server doesn't allow navigation.
Safari is ignoring the session cookie for localhost sites that are on the same domain (but different subdomains). This behaviour is unique to Safari; I've tested this on Chrome, Brave, Firefox and Opera – all work as expected.
The environment is a docker-compose network. The docker-compose file is included below. I have entries in `/etc/hosts` for the domains:
```
127.0.0.1 be.mnr.localhost
127.0.0.1 fe.mnr.localhost
```
All the routing works correctly but while the session cookie is received as part of the request response, Safari is ignoring it and so subsequent requests after login are not having the auth token passed with them and thus the server believes the session is not authenticated. This is a CORS browser implementation issue. I have the cookie session samesite set to "Lax".
docker-compose.yml
```
version: "3.9"
networks:
web-network:
services:
caddy:
image: caddy:latest
restart: always
volumes:
- ./caddy/data:/data
- ./caddy/config:/config
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
- ./caddy/logs:/logs
- ./mnr:/var/www/html
ports:
- "80:80"
- "443:443"
networks:
- web-network
# this bit allows caddy on docker to see the listener on the external (to docker) port 8080 (which listens locally on my laptop)
extra_hosts:
host.docker.internal: host-gateway
php:
build: ./php
tty: true
restart: always
volumes:
- ./mnr:/var/www/html
- ./php/etc/:/usr/local/etc/
- ./php/tmp/:/tmp/
networks:
- web-network
extra_hosts:
host.docker.internal: host-gateway
mysql:
image: mysql/mysql-server:8.0-aarch64
ports:
- "23306:3306"
environment:
MYSQL_ROOT_HOST: "%"
MYSQL_ROOT_USER: <redacted>
MYSQL_ROOT_PASSWORD: <redacted>
MYSQL_DATABASE: <redacted>
MYSQL_USER: <redacted>
MYSQL_PASSWORD: <redacted>
volumes:
- $PWD/db/data:/var/lib/mysql
networks:
- web-network
extra_hosts:
host.docker.internal: host-gateway
```
This ticket came as a request from Young F. to open a new ticket based on my comments on this ticket: https://bugs.webkit.org/show_bug.cgi?id=255524 my comments there may shed extra light on this issue.
Thanks,
Noel
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240708/21861dee/attachment.htm>
More information about the webkit-unassigned
mailing list