Cookies are not stored in android Webview API 21 and up

Question

Background:

I am experiencing a very confusing behaviour with android Webviews in API 21 and up when testing in real devices.

I have a local HTML5 application (inside assets folder) with the following functionality

• Login (2 steps authentication).
• Show a list of items depending on the authentication.

The problem:

After doing the login requests, the server returns a cookie with the session. This cookie is not stored in the Webview when using real devices with API 21 or up. If I use emulators (Genymotion in this case), the cookies are properly stored.

More information:

The request to do the auth has the following headers:

POST http://myServer/j_spring_security_check HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 101
access-control-allow-origin: *
accept: application/json
access-control-allow-credentials: true
User-Agent: Framework/1.5.0 (Linux; U; Android 6.0.1; Nexus 5X Build/MMB29Q) App/0.1.1
Origin: file://
content-type: application/x-www-form-urlencoded
Accept-Language: en-US
X-Requested-With: app.package
Host: myServer

With the following response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4D169E8656DBEDFFA4D17FE8D436A5BA; Expires=Fri, 19-Feb-2016 14:27:55 GMT; Path=/; HttpOnly
Content-Type: application/json;charset=UTF-8
Content-Length: 43
Date: Fri, 19 Feb 2016 14:17:55 GMT

The cookie is not stored in devices with API 21 or more. Same request/response works fine in the rest of devices + all the emulators

Clarification:

• This flags are enabled inside the app:

  android.webkit.CookieManager.setAcceptFileSchemeCookies(true);
  

(Before CookieManager or webview is instantiated, as documentation says)

if(VERSION.SDK_INT >= 21) {

    CookieManager.getInstance().setAcceptThirdPartyCookies(this.nativeWebView, true);
}

• If after doing the authentication, I access the cookies datastore and check the "hasCookies" method, I get false.

• The two step auth service actually calls 3 different paths from the same endpoints. None of the cookies that the response that generate this services are stored. I don't know if this is relevant or not.

• When doing simple authentication (to a different server), cookies are stored properly in all the devices emulators.

• I am using Angular 1.5

• I am aware that the service is using http instead of https. That will be solved in the future.

• I get no error message in the consoles.

Questions:

Is there any internal security measure in the webviews that blocks the storage of the cookies? Why does it work on emulators (that are rooted devices) and not in real devices? This really bugs me.

Answer 1

If the network request is done using window.fetch you may need to add:

fetch('/something', { credentials: 'same-origin' }) // or 'include'

On chromium, window.fetch has the credentials flag set by default to 'omit' and no cookies are stored into the cookie storage. More details of this bug here: https://bugs.chromium.org/p/chromium/issues/detail?id=477523