Ionic 4 not storing updated authentication cookie on iOS and Android

All of a sudden today, our deployed Ionic app stopped accepting the authentication cookie returned by our server. We have made no changes to the app or the server, so we are quite puzzled. After debugging these requests, we confirmed that the SET-COOKIE header is coming back from our login endpoint, but it is not used on requests made after via HttpClient.

This only happens on iOS and Android, running ionic serve everything works.

Any ideas on this one?

We figured out the issue. It was related to the new chrome cookie security policy. We had to update our server to provide SameSite=None cookie on all requests to supporting browsers (older browsers it will break though in some cases). Here is some additional information as this change is going live in the next few weeks on all devices. I think it’s about to be a s*** storm.

https://www.chromestatus.com/feature/5088147346030592 https://www.chromestatus.com/feature/5633521622188032

Hi! I’m curious, on which Android device does the issue occurs (WebView version) ?
The issue occurs on iOS too?
Are you using chrome on Android to access your app via HTTP, or is it an Ionic App? Ionic App should use a WebView based on Chromium (but not impacted by the new samesite policy), shouldn’t it?
Thanks!

Hi,

It turns out that it was our Azure server that had installed a patch without informing us that was adding SameSite = Lax to all set-cookie headers (thereby breaking cross origin requests from the ionic app). They have now provided a configuration option to set SameSite = None on asp.net authentication requests. It was not related to the webviews themselves.

Here is some info regarding Azure’s handling of this issue in case it’s relevant to anyone: https://azure.microsoft.com/en-us/updates/app-service-samesite-cookie-update/

1 Like

Hi! Thanks for the quick answer.
According to you, this issue was caused by the Webview in your Ionic Apps that couldn’t handle the new samesite=Lax Header in the response, and as a consequence, the next requests couldn’t set the cookie in the header ?

I’m trying to analyse impact on my Ionic apps with this new samesite policy (with default set to Samesite=Lax), but I can’t say if Ionic Webviews are or will be impacted (Chromium based on Android 7/8/9).
I experienced the issue in local development mode (ionic serve) but not with my apps.

Me too facing the same issue after chrome update there same site policy. If I set same site policy to none then app working fine but cookie not working in chrome browser. If anyone having the solution please post here

The cookies must also be marked secure and delivered over HTTPS. A good string to append is

SameSite = None; Secure

Unfortunately, this breaks some older browsers and webviews. Here’s some more info on that problem: https://www.chromium.org/updates/same-site/incompatible-clients

That’s correct, as they are cross site requests and SameSite = Lax does not allow cross origin requests. The correct solution is to deliver SameSite = None; Secure for clients that support it, and omit it from clients that do not. The best way to do it is User-Agent sniffing. Here’s some more info on affected clients: https://www.chromium.org/updates/same-site/incompatible-clients

1 Like

Now chrome release new version 80.xx.xxx… And now it’s supports SameSite = None;