Bug 219872
Summary: | All our cookies get randomly deleted from the NSHTTPCookieStorage. Could be a cookie sync issue between NSHTTPCookieStorage and WKHTTPCookieStore. | ||
---|---|---|---|
Product: | WebKit | Reporter: | exu |
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW | ||
Severity: | Blocker | CC: | achristensen, bdakin, beidson, bfulgham, ggaren, katherine_cheney, webkit-bug-importer, wilander |
Priority: | P2 | Keywords: | InRadar |
Version: | WebKit Nightly Build | ||
Hardware: | iPhone / iPad | ||
OS: | iOS 14 |
exu
Summary:
All our cookies get randomly deleted from the NSHTTPCookieStorage.
We suspect an issue in the cookie sync between NSHTTPCookieStorage and WKHTTPCookieStore on our iOS app.
Our investigation:
- This issue happens on more predominantly on iOS 14
- We’ve confirmed that the server is not deleting/resetting cookies, and the cookies are issued by server with attributes Same-Site:None and Secure:Yes.
Our observations:
When app users tap for in-app browser with WKWebView, a call from WKWebView to the server is made (either directly or via XMLHttpRequest). And right after the network call, cookies in NSHTTPCookieStorage are deleted. We suspect there is some bug in the sync between WKHTTPCookieStorage & NSHTTPCookieStorage leading to deletion of cookies from NSHTTPCookieStorage.
First call after cold launch either in the app or extension/widget doesn’t contain certain cookies but those cookies magically appear after a few milliseconds and subsequent network calls do contain these cookies.
Question:
- When the cookies are getting deleted from WKWebView, the cookies from the NSHTTPCookieStorage are also deleted. Is this expected?
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Geoffrey Garen
> When app users tap for in-app browser with WKWebView, a call from WKWebView to the server is made (either directly or via XMLHttpRequest). And right after the network call, cookies in NSHTTPCookieStorage are deleted. We suspect there is some bug in the sync between WKHTTPCookieStorage & NSHTTPCookieStorage leading to deletion of cookies from NSHTTPCookieStorage.
In this case, what method did you use to notice that cookies were removed from NSHTTPCookieStorage?
At that time, were the cookies still present in WKHTTPCookieStorage?
> First call after cold launch either in the app or extension/widget doesn’t contain certain cookies but those cookies magically appear after a few milliseconds and subsequent network calls do contain these cookies.
Is this case distinct from the case where cookies get deleted?
In this case, what method did you use to notice that cookies were initially missing? Were they missing from NSHTTPCookieStorage, WKHTTPCookieStorage, or both?
exu
(In reply to Geoffrey Garen from comment #1)
> > When app users tap for in-app browser with WKWebView, a call from WKWebView to the server is made (either directly or via XMLHttpRequest). And right after the network call, cookies in NSHTTPCookieStorage are deleted. We suspect there is some bug in the sync between WKHTTPCookieStorage & NSHTTPCookieStorage leading to deletion of cookies from NSHTTPCookieStorage.
>
> In this case, what method did you use to notice that cookies were removed
> from NSHTTPCookieStorage?
We noticed in our client side logs by listening to NSHTTPCookieManagerCookiesChangedNotification that the cookies disappeared from NSHTTPCookieStorage. Logs on the server side also indicated that cookies didn’t exist in the networking requests.
>
> At that time, were the cookies still present in WKHTTPCookieStorage?
Unsure. We didn’t see the cookies in calls made by WKWebView in our server side logs. What we don’t know is that if the cookies are deleted, or if ITP kicked in and block those cookies from being sent to the server?
>
> > First call after cold launch either in the app or extension/widget doesn’t contain certain cookies but those cookies magically appear after a few milliseconds and subsequent network calls do contain these cookies.
>
> Is this case distinct from the case where cookies get deleted?
>
> In this case, what method did you use to notice that cookies were initially
> missing? Were they missing from NSHTTPCookieStorage, WKHTTPCookieStorage, or
> both?
Yes this is a different case, because this only happens on process start and the cookies always reappear after a few 100s of milliseconds. At app start, we only make native calls using NSURLSession, so we know that the cookies were missing from NSHTTPCookieStorage. We don’t know about the state of WKHTTPCookieStorage.
John Wilander
(In reply to exu from comment #0)
> Summary:
> All our cookies get randomly deleted from the NSHTTPCookieStorage.
> We suspect an issue in the cookie sync between NSHTTPCookieStorage and
> WKHTTPCookieStore on our iOS app.
When you say randomly, is that a large random spread such as some deleted after a month and some after five minutes?
> Our investigation:
> - This issue happens on more predominantly on iOS 14
>
> - We’ve confirmed that the server is not deleting/resetting cookies, and the
> cookies are issued by server with attributes Same-Site:None and Secure:Yes.
Are the servers setting cookies by any chance under so called third-party CNAME cloaking? See definition here: https://webkit.org/tracking-prevention/
> Our observations:
> When app users tap for in-app browser with WKWebView, a call from WKWebView
> to the server is made (either directly or via XMLHttpRequest). And right
> after the network call, cookies in NSHTTPCookieStorage are deleted. We
> suspect there is some bug in the sync between WKHTTPCookieStorage &
> NSHTTPCookieStorage leading to deletion of cookies from NSHTTPCookieStorage.
> First call after cold launch either in the app or extension/widget doesn’t
> contain certain cookies but those cookies magically appear after a few
> milliseconds and subsequent network calls do contain these cookies.
Are these other cookies or are these the cookies you refer to as deleted? Basically, do you mean deleted as in will never come back or as in just not available right away?
> Question:
> - When the cookies are getting deleted from WKWebView, the cookies from the
> NSHTTPCookieStorage are also deleted. Is this expected?
Geoffrey Garen
By default, there is no connection between the WKHTTPCookieStore in a given WebView and the NSHTTPCookieStorage in an app. So I wouldn't expect activity in a WebView to set or delete cookies in an app's NSHTTPCookieStorage.
Can you share some sample code showing how the WebView's WKWebsiteDataStore and WKWebViewConfiguration were initialized?
exu
(In reply to Geoffrey Garen from comment #4)
> By default, there is no connection between the WKHTTPCookieStore in a given
> WebView and the NSHTTPCookieStorage in an app. So I wouldn't expect activity
> in a WebView to set or delete cookies in an app's NSHTTPCookieStorage.
>
> Can you share some sample code showing how the WebView's WKWebsiteDataStore
> and WKWebViewConfiguration were initialized?
Here is the sample code:
let config = WKWebViewConfiguration()
let webView = WKWebView(frame: .zero, configuration: config)
We have seen that there seems to be some automatic undocumented 2-way sync happening between the app’s shared NSHTTPCookieStorage and the default persistent WKWebsiteDataStore. We don’t have any code to manually sync and yet cookies are shared both ways.
exu
(In reply to John Wilander from comment #3)
> (In reply to exu from comment #0)
> > Summary:
> > All our cookies get randomly deleted from the NSHTTPCookieStorage.
> > We suspect an issue in the cookie sync between NSHTTPCookieStorage and
> > WKHTTPCookieStore on our iOS app.
>
> When you say randomly, is that a large random spread such as some deleted
> after a month and some after five minutes?
It’s in the timespan of within a few seconds (sometimes as quick as few 100s of milliseconds).
>
> > Our investigation:
> > - This issue happens on more predominantly on iOS 14
> >
> > - We’ve confirmed that the server is not deleting/resetting cookies, and the
> > cookies are issued by server with attributes Same-Site:None and Secure:Yes.
>
> Are the servers setting cookies by any chance under so called third-party
> CNAME cloaking? See definition here: https://webkit.org/tracking-prevention/
No. These are first party cookies set for our primary domain and used there. The domain of these cookies is always .myCompany.com or .www.myCompany.com.
>
> > Our observations:
> > When app users tap for in-app browser with WKWebView, a call from WKWebView
> > to the server is made (either directly or via XMLHttpRequest). And right
> > after the network call, cookies in NSHTTPCookieStorage are deleted. We
> > suspect there is some bug in the sync between WKHTTPCookieStorage &
> > NSHTTPCookieStorage leading to deletion of cookies from NSHTTPCookieStorage.
> > First call after cold launch either in the app or extension/widget doesn’t
> > contain certain cookies but those cookies magically appear after a few
> > milliseconds and subsequent network calls do contain these cookies.
>
> Are these other cookies or are these the cookies you refer to as deleted?
> Basically, do you mean deleted as in will never come back or as in just not
> available right away?
This is a totally unrelated issue. Some cookies in NSHTTPCookieStorage seem to appear later only on process start (ie. the 1st call will miss them but subsequent calls will have them). This is not consistently reproducible.
>
> > Question:
> > - When the cookies are getting deleted from WKWebView, the cookies from the
> > NSHTTPCookieStorage are also deleted. Is this expected?
Geoffrey Garen
> By default, there is no connection between the WKHTTPCookieStore in a given
> WebView and the NSHTTPCookieStorage in an app.
Sorry, I was wrong about this. The default NSHTTPCookieStorage path and the default WKHTTPCookieStore path are the same.
Geoffrey Garen
> Here is the sample code:
> let config = WKWebViewConfiguration()
> let webView = WKWebView(frame: .zero, configuration: config)
An important side effect of this construction is that it assigns a unique networking process to each WebView, which could trigger races between the networking process.
Geoffrey Garen
Here's a theory of a change that might help:
(1) Make sure that all WebViews share the same WKWebViewConfiguration;
(2) Always use WKHTTPCookieStore to access cookies, and never use NSHTTPCookieStore.
These changes taken together should eliminate a few races between different ways to access the same cookies. Maybe those races explain some of these issues.
exu
(In reply to Geoffrey Garen from comment #9)
Thanks for your suggestions Geoffrey!
We didn't change any of this code on our side, but we started observing increased instances occurring on iOS 14 after we released a version of the app built with the iOS 14 SDK. Could you share some details on why that could be?
> Here's a theory of a change that might help:
>
> (1) Make sure that all WebViews share the same WKWebViewConfiguration;
>
> (2) Always use WKHTTPCookieStore to access cookies, and never use
> NSHTTPCookieStore.
>
> These changes taken together should eliminate a few races between different
> ways to access the same cookies. Maybe those races explain some of these
> issues.
Geoffrey Garen
Sorry, I don't have a good guess about why / how this behavior changed. But the results of the experiment above might give us more information about where to look.
Radar WebKit Bug Importer
<rdar://problem/72561790>