Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sharing cookies across .test sub-domains in Safari 13 not possible

I have a self-certificate for apache for https://example.test & https://m.example.test

When browsing https://m.example.test cookies are set to the base domain '.example.test' using php 'session.cookie_domain'. This DOES work in Chrome, Firefox or Safari up-to-version-12. However, it does not work anymore in Safari 13 (iOS 13 or Catalina).

What's even more strange is that the cookie is still set to the base domain on Safari 13 with my production machine for https://example.COM & https://m.example.COM

I have the same apache server configuration for both the COM and TEST servers. It simply stopped working on my development ".test" server after updating my iOS devices to iOS 13 or in MacOS after Catalina. Chrome, Firefox still work. Even old iOS devices connecting to my development machine (through a proxy) still store the cookie to the base domain ".example.test". So it looks like it is something specific to Safari 13 and only in ".test" domains.

I have created new certificates for my .TEST server using latest recommendations from Apple (max 825 days and so on) but it did not make any difference. It looks like something may have changed with self-signed certificates. Or perhaps a new rule exists for ".test" (not public) domains? It's something either specific to Safari, ".test" not-public-domains or certificates. Or something else I did not even think about.

Any idea how to configure Apache/Macosx/certificates so that I can still share a cookie across subdomains using Safari 13 in development .test domains? Thanks.

like image 444
landabaso Avatar asked May 26 '20 13:05

landabaso


People also ask

Can cookies be shared across sub domains?

Please everyone note that you can set a cookie from a subdomain on a domain. But you CAN'T set a cookie from a domain on a subdomain.

How do I allow cross domain cookies in Safari?

Open the Safari browser. From the menu bar, go to Safari > Preferences. In the preferences dialog, go to the Privacy tab and disable the Prevent cross-site tracking permission.

How do I access cookies from another domain?

As we know that cookie set by one domain cannot be accessed by the another domain. But cookie set to main domain can be accessed by subdomains. Example: Cookie set to domain “maindomain.com” can be accessed by any sub domain of main domain, that is subdomain.maindomain.com, anysub.maindomain.com.

Is a subdomain a third party cookie?

Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.


2 Answers

This is not an issue with certificates, but it seems to be a difference in how Safari parses the .test TLD.

We solved this by setting the cookie explicitly for each subdomain we need. In our Rails app, in the development environment, we set up the session store like this:

config.session_store(
  :active_record_store,
  key: 'our_app_session',
  domain: ['ourapp.test', 'api.ourapp.test', 'help.ourapp.test']
)

If you can figure out the way to do the same thing in your backend, you should be able to use the same cookie for your different .test subdomains.

like image 181
gueorgui Avatar answered Oct 12 '22 09:10

gueorgui


I had the same problem with wildcard subdomains and cookies for the .test tld. It worked in Chrome, but Safari 13 did not set the cookie.

My workaround was to use .local instead. This worked in Safari too.

(Specifying each subdomain separately like @gueorgui suggested does not work as expected, because the browser will set a separate cookie for each subdomain)

like image 1
tbuehl Avatar answered Oct 12 '22 11:10

tbuehl