Httponly cookies, if and how

We’ve been using capacitor for a couple of months now, but for security reasons we only now implemented HttpOnly cookies.

Before we used to receive a token in response from our server, then I’d either save that to cookies on the web or in localstorage for iOS and Android. I was forced to use localstorage for our apps because Cookies didn’t seem to be persisting between sessions.

Now, with HttpOnly cookies, cookies are automatically set by a Set-Cookie header (at least on the web) but this doesn’t seem to be working at all on our apps.

What is the recommended way to save tokens in Ionic/Capacitor?

Should we ditch HttpOnly on our apps in favor of saving to localStorage?

Capacitor info:

💊   Capacitor Doctor  💊 

Latest Dependencies:

  @capacitor/cli: 2.4.3
  @capacitor/core: 2.4.3
  @capacitor/android: 2.4.3
  @capacitor/electron: 2.4.3
  @capacitor/ios: 2.4.3

Installed Dependencies:

  @capacitor/cli 2.4.3
  @capacitor/android 2.4.3
  @capacitor/ios 2.4.3
  @capacitor/core 2.4.3
  @capacitor/electron not installed

[success] Android looking great! 👌
  Found 0 Capacitor plugins for ios:
[success] iOS looking great! 👌

Currently I’ve been testing stuff on iOS, but I’m fairly sure issues will be similar on Android.

1 Like

An update:

Found a couple of useful issues on Github, especially this one. The fix mentioned there:

  "server": {
    "hostname": "API_DOMAIN"

Seems to work and the cookies are:

  • Set correctly
  • Sent correctly with requests

Unfortunately I’m having trouble persisting these cookies on both iOS and Android. As soon as the app is closed the cookies are seemingly deleted and the user requires to login again.

This issue seems to have a fix for android, but I cannot find a similar solution for iOS.

1 Like

Bump? Surely there has to be a solution for this

Some related info here: Cookie-based authentication for iOS for Ionic React / Capacitor - #2 by rvluttikhuizen