Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Video requiring asp.net authentication not working on iOS 10

On Safari in iOS 10 my video doesn't work, only showing the play-icon.

I serve the video via an asp.net server, which checks to make sure the user has logged on and have access to the video. Only, on iOS 10 the server will respond with 401 Unauthorized!

Doing some testing with the code below, I found that safari on iOS 9 sends the ".ASPXAUTH" cookie - but safari on iOS 10 doesn't!

<video crossorigin="use-credentials" controls autoplay="autoplay">
    <source src="/Server/GetVideo.ashx?id=123"/>
</video>

Why is safari not able to play my video? Is there any way to solve it?

like image 362
Mystogan Avatar asked Sep 22 '16 10:09

Mystogan


2 Answers

My solution is here: https://stackoverflow.com/a/40015409/7012293

Basically you need to send a 403 forbidden if the session cookie is missing. Safari will retry with the session cookie.

like image 113
Henry Yang Avatar answered Nov 15 '22 19:11

Henry Yang


We have the exact same problem with a completely different technology stack (Linux, PHP, Moodle). Our session cookie is not sent with video (and audio) requests.

We weren't able to figure out a way to make iOS behave properly here, so we are doing an emergency patch to solve the problem by detecting iOS 10 and sending it to a different script to serve the video, passing a securely encrypted version of the session cookie value inside the path to this script, and then doing various hacks so that the value from the path gets used to identify the session from within that script (instead of the nonexistent cookie). This change works but is complex, has minor security implications, and might be harder to implement on different technologies.

This seems like a major problem with iOS 10 so I would hope that it might be fixed in a future update. Also, I note that although our session cookie is not included with the video, several other cookies are included! I couldn't actually figure out which ones weren't. (One of the first things I tried was to use a timed-expiry instead of session cookie, but this didn't get sent with the video either.)

like image 24
sam Avatar answered Nov 15 '22 19:11

sam