capacitor
capacitor copied to clipboard
bug: cookies not being expired when capacitor cookie plugin enabled iOS
Bug Report
Capacitor Version
@capacitor/cli: 4.8.0
@capacitor/core: 4.8.0
@capacitor/ios: 4.8.0
@capacitor/android: 4.8.0
We do see it on Capacitor 4.6.1 as well and updated to 4.8.0 to see if it would resolve the issue but it did not.
Platform(s)
iOS versions 16.2 and later on physical device. We couldn't recreate on a 16.1 simulator but there may be iOS updates not yet on the simulator
Current Behavior
When we return a set-cookie header _xyza, we see the cookie being sent on subsequent requests as expected. If we update the value of the cookie we also do see the cookie sent with the new value, but we also sometimes see the cookie sent with the older value.
And if we expire the cookie with set-cookie Expires=Thu, 01 Jan 1970 00:00:10 GMT we continue to see the cookie sent on subsequent requests.
Expected Behavior
When the cookie value is updated with set-cookie we expect to always see the updated value on subsequent requests. If the expires on cookie-set is set to Expires=Thu, 01 Jan 1970 00:00:10 GMT; we no longer expect to see the cookie being sent.
Other Technical Details
Example sequence below describes what we see.
Request 4 expires the cookie. We log out of our and app and back in Request 1, we see the expired cookie sent (unexpected) and we return a new cookie value with set-cookie Request 2, we see the cookie value we set in in previous request 1 response sent (expected) Request 3, we see the cookie from previous request 4 sent (unexpected) and we set new cookie value set on set-cookie Request 4, we see the cookie from previous request 4 sent (unexpected)
Example sequence below shows the actual cookie results of what we are seeing from the sequence described above.
Previous request 4: set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ; Domain=.myserver.com; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Logout....
New request 1: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ
set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..9t2ueO_VkuGQW1LH.29l- fyBLQSQGK_0xdrokQLBlpBvjkqtnUKJ5NvYtNVPXyC-oVvh1cwu7lOw3rWtW8prluNr3QpP7HMx92Zs0gH2WWDZGy0BUojWq8bJX_YwvhmZHDQ3K7gqF207bXANMQ5iy5wJM9-m6bSKzMI0rng0-T1ZSbvL4Uy8ImNAWhfXNGcN6aWcbjfcSQNd_W3Fix3hZMW-srCCwO9vpS-_IlM7xu7JLbxIEgugkoYisCuyvsaVu7TUKGi5CkH4KR2maMMIAn_NEeWGwS80-NSMMyF-89JYVo1KKkcq3Jb91bavxbDwozhMqjY6bdn1TtWSPBcKV-2W8p53JNHT8GGUdayGWTlSbGsj5IFqe1ZSmPhZdvJ9tv7iM55xKrD_Po6MOulWye5eiyE9RFAB33jBfFPtt6nibzExNFzV3Zz6fecJIgF-AemmIn55LKczAdH9xxu9zMzDGw6iUpeOalAnyrA.ggFbUIqc0RElRdP6cEdZ_A; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:30 GMT; Path=/; Secure; HttpOnly
New request 2: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..9t2ueO_VkuGQW1LH.29l-fyBLQSQGK_0xdrokQLBlpBvjkqtnUKJ5NvYtNVPXyC-oVvh1cwu7lOw3rWtW8prluNr3QpP7HMx92Zs0gH2WWDZGy0BUojWq8bJX_YwvhmZHDQ3K7gqF207bXANMQ5iy5wJM9-m6bSKzMI0rng0-T1ZSbvL4Uy8ImNAWhfXNGcN6aWcbjfcSQNd_W3Fix3hZMW-srCCwO9vpS-_IlM7xu7JLbxIEgugkoYisCuyvsaVu7TUKGi5CkH4KR2maMMIAn_NEeWGwS80-NSMMyF-89JYVo1KKkcq3Jb91bavxbDwozhMqjY6bdn1TtWSPBcKV-2W8p53JNHT8GGUdayGWTlSbGsj5IFqe1ZSmPhZdvJ9tv7iM55xKrD_Po6MOulWye5eiyE9RFAB33jBfFPtt6nibzExNFzV3Zz6fecJIgF-AemmIn55LKczAdH9xxu9zMzDGw6iUpeOalAnyrA.ggFbUIqc0RElRdP6cEdZ_A
set-cookie: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..NqlHIo8qciagNdqD.aVZfuZCAr3WsXADIGdbcDpPfXz_uMLyXzUnlh3RQrGP5gMTGdqILZfSiKxLh-M3xWF9rclw_WjGtVvtFAFU-gtuQcrNq65gIvKZ9jlOO3pjwBE-BegNwKtsKZhYtGZSLiLHtTERpkUuFuDIss75bW60n0beMn4VOzRxnLCWPQj6wkp-j2bqeTw8ktYdXevRIW8APArZpxd12aStcxnCeAI5oqMvqLrAfrstTq9A6pi0TmIoIoRKnmAGIJ1QyVonBdkNVpwJ7qJGVljlUvMFvaXK_2kghm30qnYuSfUXVJcyzSJwdmFvP5DCYNoboZ4DqQ5f7wO56I06hamtqWabxzsQl8jBQNfBD3nLwPGtLVR9H3Z_NkpbLTBfB49A9Y1rPK0tYyVzsUR__Zu7eyWm-pl0843Z59VYb8nIQ2muVTytb_Osf0-vb8m2JSrSF10WEfaUnHX63-C5k8pX8NmGmLg.rtvMFbYDTyHWkQiB9WociA; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:30 GMT; Path=/; Secure; HttpOnly
New request 3: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ
set-cookie: xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..vufXQ-8Mdmu-PBw1.UcMWQxbp2_BxX5ndv6_2HL2TZ4SA8Arbo-4QD6zxu6tOmywkWJmXA950ilsIcm1NeXVfZiujYeK3HpzNK7yUTPAucpUMBD0OCVfRVj8Cv-x3ANbDklUVgw9r8bEAS0Trdbg7bvQjh2oxe6KJ7zXyzB5jFRm3Qe__p4zIb77jYbnlk-Meg5xaXN_AkFX-9WfHGEIWCGSzVNuQalSvPJN8UJmBs-F74DxT63ttVpGP0019gNgJz3legYmq3-aqZx5uFXTQ1BCRudppYrnWGzuhrpcVP1GcE0KOnSLGXqgPNFe6MrmgOu1yrE0jWQTICVdSdXW-6YrO1nRxxyAHX9jQngBwYgLxILN6iTM2mB7XEuzkl9cSGr9p5IFNgXqsplc2QlTq7Y06h8z2KqmkBehwyplAc1rzen2nul6N3ZLRHpb4SBqX9eYNGe-h0w4IlaCn-phAqaPM0IG_XEN1aHUo5dPdiCo3mWGdiom15OCIP1-FEEvB8V_Gqffpe7jvIptIlGE5bHSyiP7yafG7fw.Gp9areAKMXahE1l_7Z4LXA; Domain=.myserver.com; Expires=Wed, 10 May 2023 14:32:31 GMT; Path=/; Secure; HttpOnly
New request 4: cookie sent: _xyza=eyJ6aXAiOiJERUYiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..Mkmtbbxc-4X7o17B.44-AsGgX4QNHmmeD86kBMi6mdOvQvQlymjhPPC7YwLZepPqMZNfx1DJK9gv1LnE8bJk1wgZh6nn56tRWlJeP4f5SvAvJzAFXBSfxE7S-vdqrzxKXqMbnllL6tAcALZ8-ZMdcJ8pyp6cKiiPFvn7-VAA0AP_L51zbz--BbEcNpq70P7YEqabzYsmxI5Nb3nyryW1U2_hZjtysb40VXPU-rnpK9lsXLp9ubE_ZNQUZiJzCtKintlMTNeD0VenCTUfnpFv4JEurjhTaDT6m1bqnHyv6IuWvwbaez52DMomJOR_eg-AtjqDEDtJbAmIoU8EsyQGrNMrkhZmQB7NtDLlGVzt_DCIo2XhG-RH8DNvMcuQpLfgAEZT5B1kbxb8iRjUMewdm_nx5w8Axej2nu15oDFQ0sqOr-n3tXiuOt-T0OGUYPPOH0J0Z7RK6F8ehwqT1E-ASRmdiLUFkjzBP185o6cmouHeVOrqbyREbyfrmkMKAAEIZ3Rw9y5_nTPk1tprbgFzXoKQyhw.JsE-xkpyHCdYKyEaDQ7jqQ
Additional Context
This works correctly on all web browsers and Android. If we disable the capacitor cookie plugin the problem also goes away. We can't reproduce it with the cookie plugin disabled. But we need the plugin for other client side cookies.