On Safari, cookies are not saved when sent with redirect

Question

I have implemented an OAuth2 client, in which the first step is to send a user to the relevant 3rd party (facebook for this example), I set them a state cookie, and when they return from facebook I validate that state cookie.

In Chrome, everything is great. When I send the user to the redirect URL, I can see (using inspect element) that they have the state cookie I set. However, when I try on (desktop) safari on latest MacOS, I don't see that cookie.

I set the cookie in the response for my redirect request:

res.cookie('state', state.toString(), {
  maxAge: 3600000,
  secure: true,
  httpOnly: true,
});
res.redirect(someRedirectUri);

How can I get those cookies to be saved on Safari as well? Am I just setting the cookies wrong?

score 7 · Answer 1 · answered Jul 19 '19 at 20:12

7

I think you've found known WebKit issue.

So safari is ignoring the Set-Cookie header when encountering the 302 HTTP status

answered Jul 19 '19 at 20:12

Yevhen Laichenkov

6,242
2
22
26

Thanks. Before o mark this solved do you know a way around this? – Amit Jul 19 '19 at 21:36
No, I don't know. Just found the related issue https://stackoverflow.com/questions/1144894/safari-doesnt-set-cookie-but-ie-ff-does. But as I can see there are no workarounds...only a lot of questions on the apple/webkit forums without answers... – Yevhen Laichenkov Jul 19 '19 at 21:53
4

Safari 13.1 here, confirming it's still an (absurd) issue. – kevlarr Jul 01 '20 at 02:14
1

Safaria 15.0. Same issue still valid. – motobói Nov 28 '21 at 15:00

score 0 · Answer 2 · answered Dec 09 '21 at 18:46

Late response but I hope this helps anyone else coming across this issue.

I ran into this issue earlier today. It was happening on iOS Safari and Chrome (Chrome on iOS uses WebKit). The workaround I implemented was changing the initial response to a 200 and return a web page which would do a JavaScript redirect in a few seconds.

Here's the HTML I used:

<html lang="en">
<head>
    <title>Redirecting...</title>
</head>
<body>
    <h1>Redirecting...</h1>
    <div>You will be redirected in a moment. If you are not redirected, click the following link: <a id="link" href="https://example.com">Go Now</a></div>
    <script type="text/javascript">
        var host = "https://"+window.location.host;
        document.getElementById("link").setAttribute("href", host);
        setTimeout(function(){
            window.location.href = host;
        }, 3000);
    </script>
</body>
</html>

This way the Cookies will be set with the response, and the redirect will happen a moment later.

In my case, I was completing an OAuth workflow. You should be able to customize/render the page in a number of ways to meet other requirements.

On Safari, cookies are not saved when sent with redirect

2 Answers2

Linked