RESOLVED INVALID 169173
Safari is omitting cookies when sending a web request 
https://bugs.webkit.org/show_bug.cgi?id=169173
Summary Safari is omitting cookies when sending a web request
Jan Hajek
Reported 2017-03-04 12:29:47 PST
When I set multiple (3 or more) large cookies - with 3000 bytes content each, the browser only appears to send the first two and omits the third and the rest. This is currently happening in Safari on Mac and iPhone as well, while when using Chrome on Mac - this works fine, same for Microsoft Edge, Chrome, and other browsers on Windows. This is an issue for example when building an ASP.NET Core web application which uses cookies to store user's identity and can have potentially bad effect on more applications. I managed to successfully reproduce the issue without ASP.NET Core. I haven't been able to find anything in the documentation about the cookies being omitted when the total is larger then certain size or so.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-03-04 15:51:56 PST
<rdar://problem/30853509>
Jan Hajek
Comment 2 2017-03-05 03:44:24 PST
Does this have anything to do with nginx's default configuration of large_client_header_buffers to allow maximum of 8kB in headers? http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
Geoffrey Garen
Comment 3 2017-03-27 16:12:30 PDT
Can you upload a test case or provide a link to a test case that demonstrates this issue?
Jan Hajek
Comment 4 2017-03-28 00:37:28 PDT
Alright - when you visit http://hajekj-cookietest.azurewebsites.net/ - the site is going to set 4 cookies named cookie-1 to cookie-4, each of 3978 bytes in size. When you refresh the page, it is going to show the cookies the server received and in case when you use Safari, only 2 cookies will be shown - cookie-1 and cookie-2, the rest is missing. From developer tools, it will show that there are 4 cookies in the browser memory. The script for this demo is in PHP, and is like this: ```php <?php function generateRandomString($length = 10) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, $charactersLength - 1)]; } return $randomString; } for($i = 0; $i < 4; $i++) { setcookie("cookie-$i", generateRandomString(3970)); } echo "<pre>"; print_r($_COOKIE); ```
Jan Hajek
Comment 5 2017-06-14 23:27:02 PDT
Hi, are there any updates on this?
Brady Eidson
Comment 6 2017-06-15 12:03:20 PDT
(In reply to Jan Hajek from comment #5) > Hi, are there any updates on this? WebKit doesn't handle cookies on network requests itself - It relies on platform libraries beneath it. In the case of Mac/iOS WebKit, this means CFNetwork which is a proprietary project at Apple. Which also means the WebKit project can't comment on it. Let me ask you this, though - Have you had a chance to try with the High Sierra and/or iOS 11 developer betas? If not because you're not a registered developer, I strongly suggest you try with the first public betas once they come out.
Jan Hajek
Comment 7 2017-06-16 11:16:11 PDT
I will be able to try tomorrow on iOS 11. If it is the issue with CFNetwork, where would I go to report and sort such thing?
Brady Eidson
Comment 8 2017-06-16 11:26:59 PDT
(In reply to Jan Hajek from comment #7) > I will be able to try tomorrow on iOS 11. Great! > If it is the issue with CFNetwork, where would I go to report and sort such thing? https://developer.apple.com/bug-reporting/ https://bugreport.apple.com/ Once a radar is filed, please mention it here so we can link the issues internally.
Jan Hajek
Comment 9 2017-06-16 13:02:18 PDT
Link to the bug report: https://bugreport.apple.com/web/?problemID=32821328
Jan Hajek
Comment 10 2017-06-17 07:38:58 PDT
I just checked and it seems to be working fine in Safari on iOS 11.
Brady Eidson
Comment 11 2017-06-17 15:04:14 PDT
(In reply to Jan Hajek from comment #10) > I just checked and it seems to be working fine in Safari on iOS 11. 👍
Note You need to log in before you can comment on or make changes to this bug.