capacitor icon indicating copy to clipboard operation
capacitor copied to clipboard
verified publisher icon ionic-team

bug: cookies not being expired when capacitor cookie plugin enabled iOS

Open davidbeaton opened this issue 2 years ago • 6 comments

Bug Report

Capacitor Version

@capacitor/cli: 4.8.0
@capacitor/core: 4.8.0
@capacitor/ios: 4.8.0
@capacitor/android: 4.8.0

We do see it on Capacitor 4.6.1 as well and updated to 4.8.0 to see if it would resolve the issue but it did not.

Platform(s)

iOS versions 16.2 and later on physical device. We couldn't recreate on a 16.1 simulator but there may be iOS updates not yet on the simulator

Current Behavior

When we return a set-cookie header _xyza, we see the cookie being sent on subsequent requests as expected. If we update the value of the cookie we also do see the cookie sent with the new value, but we also sometimes see the cookie sent with the older value.

And if we expire the cookie with set-cookie Expires=Thu, 01 Jan 1970 00:00:10 GMT we continue to see the cookie sent on subsequent requests.

Expected Behavior

When the cookie value is updated with set-cookie we expect to always see the updated value on subsequent requests. If the expires on cookie-set is set to Expires=Thu, 01 Jan 1970 00:00:10 GMT; we no longer expect to see the cookie being sent.

Other Technical Details

Example sequence below describes what we see.

Request 4 expires the cookie. We log out of our and app and back in Request 1, we see the expired cookie sent (unexpected) and we return a new cookie value with set-cookie Request 2, we see the cookie value we set in in previous request 1 response sent (expected) Request 3, we see the cookie from previous request 4 sent (unexpected) and we set new cookie value set on set-cookie Request 4, we see the cookie from previous request 4 sent (unexpected)

Example sequence below shows the actual cookie results of what we are seeing from the sequence described above.

Previous request 4: set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ; Domain=.myserver.com; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; Secure; HttpOnly

Logout....

New request 1: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ

set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..9t2ueO_VkuGQW1LH.29l- fyBLQSQGK_0xdrokQLBlpBvjkqtnUKJ5NvYtNVPXyC-oVvh1cwu7lOw3rWtW8prluNr3QpP7HMx92Zs0gH2WWDZGy0BUojWq8bJX_YwvhmZHDQ3K7gqF207bXANMQ5iy5wJM9-m6bSKzMI0rng0-T1ZSbvL4Uy8ImNAWhfXNGcN6aWcbjfcSQNd_W3Fix3hZMW-srCCwO9vpS-_IlM7xu7JLbxIEgugkoYisCuyvsaVu7TUKGi5CkH4KR2maMMIAn_NEeWGwS80-NSMMyF-89JYVo1KKkcq3Jb91bavxbDwozhMqjY6bdn1TtWSPBcKV-2W8p53JNHT8GGUdayGWTlSbGsj5IFqe1ZSmPhZdvJ9tv7iM55xKrD_Po6MOulWye5eiyE9RFAB33jBfFPtt6nibzExNFzV3Zz6fecJIgF-AemmIn55LKczAdH9xxu9zMzDGw6iUpeOalAnyrA.ggFbUIqc0RElRdP6cEdZ_A; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:30 GMT; Path=/; Secure; HttpOnly

New request 2: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..9t2ueO_VkuGQW1LH.29l-fyBLQSQGK_0xdrokQLBlpBvjkqtnUKJ5NvYtNVPXyC-oVvh1cwu7lOw3rWtW8prluNr3QpP7HMx92Zs0gH2WWDZGy0BUojWq8bJX_YwvhmZHDQ3K7gqF207bXANMQ5iy5wJM9-m6bSKzMI0rng0-T1ZSbvL4Uy8ImNAWhfXNGcN6aWcbjfcSQNd_W3Fix3hZMW-srCCwO9vpS-_IlM7xu7JLbxIEgugkoYisCuyvsaVu7TUKGi5CkH4KR2maMMIAn_NEeWGwS80-NSMMyF-89JYVo1KKkcq3Jb91bavxbDwozhMqjY6bdn1TtWSPBcKV-2W8p53JNHT8GGUdayGWTlSbGsj5IFqe1ZSmPhZdvJ9tv7iM55xKrD_Po6MOulWye5eiyE9RFAB33jBfFPtt6nibzExNFzV3Zz6fecJIgF-AemmIn55LKczAdH9xxu9zMzDGw6iUpeOalAnyrA.ggFbUIqc0RElRdP6cEdZ_A

set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..NqlHIo8qciagNdqD.aVZfuZCAr3WsXADIGdbcDpPfXz_uMLyXzUnlh3RQrGP5gMTGdqILZfSiKxLh-M3xWF9rclw_WjGtVvtFAFU-gtuQcrNq65gIvKZ9jlOO3pjwBE-BegNwKtsKZhYtGZSLiLHtTERpkUuFuDIss75bW60n0beMn4VOzRxnLCWPQj6wkp-j2bqeTw8ktYdXevRIW8APArZpxd12aStcxnCeAI5oqMvqLrAfrstTq9A6pi0TmIoIoRKnmAGIJ1QyVonBdkNVpwJ7qJGVljlUvMFvaXK_2kghm30qnYuSfUXVJcyzSJwdmFvP5DCYNoboZ4DqQ5f7wO56I06hamtqWabxzsQl8jBQNfBD3nLwPGtLVR9H3Z_NkpbLTBfB49A9Y1rPK0tYyVzsUR__Zu7eyWm-pl0843Z59VYb8nIQ2muVTytb_Osf0-vb8m2JSrSF10WEfaUnHX63-C5k8pX8NmGmLg.rtvMFbYDTyHWkQiB9WociA; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:30 GMT; Path=/; Secure; HttpOnly

New request 3: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ

set-cookie: xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..vufXQ-8Mdmu-PBw1.UcMWQxbp2_BxX5ndv6_2HL2TZ4SA8Arbo-4QD6zxu6tOmywkWJmXA950ilsIcm1NeXVfZiujYeK3HpzNK7yUTPAucpUMBD0OCVfRVj8Cv-x3ANbDklUVgw9r8bEAS0Trdbg7bvQjh2oxe6KJ7zXyzB5jFRm3Qe__p4zIb77jYbnlk-Meg5xaXN_AkFX-9WfHGEIWCGSzVNuQalSvPJN8UJmBs-F74DxT63ttVpGP0019gNgJz3legYmq3-aqZx5uFXTQ1BCRudppYrnWGzuhrpcVP1GcE0KOnSLGXqgPNFe6MrmgOu1yrE0jWQTICVdSdXW-6YrO1nRxxyAHX9jQngBwYgLxILN6iTM2mB7XEuzkl9cSGr9p5IFNgXqsplc2QlTq7Y06h8z2KqmkBehwyplAc1rzen2nul6N3ZLRHpb4SBqX9eYNGe-h0w4IlaCn-phAqaPM0IG_XEN1aHUo5dPdiCo3mWGdiom15OCIP1-FEEvB8V_Gqffpe7jvIptIlGE5bHSyiP7yafG7fw.Gp9areAKMXahE1l_7Z4LXA; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:31 GMT; Path=/; Secure; HttpOnly

New request 4: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ

Additional Context

This works correctly on all web browsers and Android. If we disable the capacitor cookie plugin the problem also goes away. We can't reproduce it with the cookie plugin disabled. But we need the plugin for other client side cookies.

davidbeaton avatar May 14 '23 17:05 davidbeaton

Bumping this up to see if there are any thoughts on this?

davidbeaton avatar May 22 '23 15:05 davidbeaton

Could this be related to this issue?

https://bugs.webkit.org/show_bug.cgi?id=255524

davidbeaton avatar May 23 '23 18:05 davidbeaton

Bumping this up again. There are recent conversations here on this bug report around cookies not syncing correctly in Safari on asset requests. It's not exactly the same as it's Safari and assets, but the behavior is identical. Server side cookies aren't syncing correctly frequently when we have the cookie plugin enabled.

Any possible way there is a correlation in WebKit to what we are seeing in iOS with the cookie plugin enabled?

https://bugs.webkit.org/show_bug.cgi?id=255524

davidbeaton avatar Jun 09 '23 14:06 davidbeaton

Bumping this issue again. I see a few other recent issues also opened around cookies.

davidbeaton avatar Aug 15 '23 21:08 davidbeaton

This issue needs more information before it can be addressed. In particular, the reporter needs to provide a minimal sample app that demonstrates the issue. If no sample app is provided within 15 days, the issue will be closed. Please see the Contributing Guide for how to create a Sample App. Thanks! Ionitron 💙

ionitron-bot[bot] avatar Aug 15 '23 23:08 ionitron-bot[bot]

I'm experiencing this as well. When I Set-Cookie to a blank and expired value, the original cookie value is being sent.

ozyman42 avatar Jan 21 '24 01:01 ozyman42

This issue needs more information before it can be addressed. In particular, the reporter needs to provide a minimal sample app that demonstrates the issue. If no sample app is provided within 15 days, the issue will be closed. Please see the Contributing Guide for how to create a Sample App. Thanks! Ionitron 💙

ionitron-bot[bot] avatar Jun 05 '24 10:06 ionitron-bot[bot]

It looks like this issue didn't get the information it needed, so I'll close it for now. If I made a mistake, sorry! I am just a bot.

Have a great day! Ionitron 💙

Ionitron avatar Jun 21 '24 00:06 Ionitron

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.

ionitron-bot[bot] avatar Jul 21 '24 00:07 ionitron-bot[bot]