Safari 11 X-XSRF-TOKEN not updated after refresh

Question

Recently Safari 11 was released on Mac OSX. This update causes problem with our webapplication in combination with XSRF on the header of our reuest. I will try to describe the problem in a logic way. This is how a good situation would look like:

1. When a user wants to log in, he receives a response from the server with a Set-Cookie that contains the value of the XSRF token. Eg: Set-Cookie: XSRF-TOKEN=LKNBX4DZhL708KjXNkgXnlxTDCNuhsZG1kTc2SFy498; Path=/; Secure

2. The page refreshes The next call that will be executed contains that correct XSRF value in the header. On the server side the value is checked etc. Each call from the front end will contain that XSRF token.

3. If the user logs out and wants to log in again, his XSRF cookie will be overridden by a new value and is able to login with that token.

Our problematic situation (with Safari 11 on Mac OSX, other browser don’t show this behavior):

1. If there are no cookies existing, the user can log in normal

2. However, if he wants to log back in (after a previous session), the refresh takes places. On the first call other the refresh the XSRF-token on his call are not replaced by the new value, they still contain the old XSRF-token from the previous session. When we inspect this request we see that the cookies on this request are containing the right value, but the header is reflecting the old token.

3. This call with the wrong header causes a session close in the backend and so the user is kicked out of his session. TLDR; in Safari 11 the header XSRF-TOKEN does not update accordingly to the cookie value after a refresh. We have this working on older versions and on other browsers, which we think is a Safar 11 bug.

Is anyone else experiencing a similar kind of issue? Where an header value of an request is not updated after a page refresh in Safari 11?

EDIT: After testing we have discoverd that placing a timestamp in the URL as query parameter forces Safari 11 to send the correct request. It seems that some requests are cached and updated headers are ignored..

Thanks a lot!

Answer 1

I cannot really comment on your token issue but I do also have the suspicion that Safari 11 has a problem with caching. Lately, even for JSON requests that specify

Cache-Control: no-cache, private

Safari starts to cache those requests (shown as Cache (Disk)) after 2 reloads of the page from localhost. Neither firefox nor chrome do some. Looks like a bug to me?