Bug 276313

Summary: Safari is ignoring the session cookie for localhost sites
Product: WebKit Reporter: Noel Da Costa <appledeveloper>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: beidson, cdumez, jonkoops, karlcow, m_finkel, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: Mac (Apple Silicon)   
OS: macOS 15   
See Also: https://bugs.webkit.org/show_bug.cgi?id=232088
Attachments:
Description Flags
Login request where credentials are passed and session cookie is returned but the route guard request doesn't have the cookie to send, and so the response from the server doesn't allow navigation.
none
shows the requests none

Noel Da Costa
Reported 2024-07-08 06:15:27 PDT
Created attachment 471839 [details] Login request where credentials are passed and session cookie is returned but the route guard request doesn't have the cookie to send, and so the response from the server doesn't allow navigation. Safari is ignoring the session cookie for localhost sites that are on the same domain (but different subdomains). This behaviour is unique to Safari; I've tested this on Chrome, Brave, Firefox and Opera – all work as expected. The environment is a docker-compose network. The docker-compose file is included below. I have entries in `/etc/hosts` for the domains: ``` 127.0.0.1 be.mnr.localhost 127.0.0.1 fe.mnr.localhost ``` All the routing works correctly but while the session cookie is received as part of the request response, Safari is ignoring it and so subsequent requests after login are not having the auth token passed with them and thus the server believes the session is not authenticated. This is a CORS browser implementation issue. I have the cookie session samesite set to "Lax". docker-compose.yml ``` version: "3.9" networks: web-network: services: caddy: image: caddy:latest restart: always volumes: - ./caddy/data:/data - ./caddy/config:/config - ./caddy/Caddyfile:/etc/caddy/Caddyfile - ./caddy/logs:/logs - ./mnr:/var/www/html ports: - "80:80" - "443:443" networks: - web-network # this bit allows caddy on docker to see the listener on the external (to docker) port 8080 (which listens locally on my laptop) extra_hosts: host.docker.internal: host-gateway php: build: ./php tty: true restart: always volumes: - ./mnr:/var/www/html - ./php/etc/:/usr/local/etc/ - ./php/tmp/:/tmp/ networks: - web-network extra_hosts: host.docker.internal: host-gateway mysql: image: mysql/mysql-server:8.0-aarch64 ports: - "23306:3306" environment: MYSQL_ROOT_HOST: "%" MYSQL_ROOT_USER: <redacted> MYSQL_ROOT_PASSWORD: <redacted> MYSQL_DATABASE: <redacted> MYSQL_USER: <redacted> MYSQL_PASSWORD: <redacted> volumes: - $PWD/db/data:/var/lib/mysql networks: - web-network extra_hosts: host.docker.internal: host-gateway ``` This ticket came as a request from Young F. to open a new ticket based on my comments on this ticket: https://bugs.webkit.org/show_bug.cgi?id=255524 my comments there may shed extra light on this issue. Thanks, Noel
Attachments
Login request where credentials are passed and session cookie is returned but the route guard request doesn't have the cookie to send, and so the response from the server doesn't allow navigation. (717.33 KB, image/png)
2024-07-08 06:15 PDT, Noel Da Costa 		no flags
Details
shows the requests (717.33 KB, image/png)
2024-07-08 06:32 PDT, Noel Da Costa 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-07-08 06:17:18 PDT
<rdar://problem/131302524>
Noel Da Costa
Comment 2 2024-07-08 06:32:14 PDT
Created attachment 471840 [details] shows the requests
Noel Da Costa
Comment 3 2024-07-08 06:33:38 PDT
I redid the attachment because the first one was mislabelled.
Noel Da Costa
Comment 4 2025-02-13 00:03:39 PST
I think the issue might be that Safari is refusing to include the session cookie because the SSL certificates are self-signed on my local dev environment. However, once I've accepted the risk in the browser, Safari should allow me to accept the risk.
Note You need to log in before you can comment on or make changes to this bug.