Storing Cookies - failing with iOS browsers

[clemieux]

Hi folks,

I have a legacy web application running on a number of PK70's that make use of cookies (for storing basic session information for validation purposes). The method used for storing the cookie to begin with (as declared in http.h):

Code: Select all

/*Send a header and include a cookie */
void SendHTMLHeaderWCookie( int sock, char *cookie );

This has worked flawlessly in any major browser from PC or Mac. However, iPads and iPhones on the other hand...I haven't gotten it to work with Chrome, Safari or Opera.

I'm having difficulty tracking down the point where this breaks - just not sure what the code is actually doing. It's pretty clear the cookie isn't being stored in the first place, so I was wondering if any of you have encountered similar issues, have workarounds, suggestions, etc.

Thanks much!

-Chris

[dpursell]

I've noticed that when my users have problems storing cookies on their iPhones it's usually that the phone itself is set to disallow cookies. I don't have one myself so I can't remember where that option is, somewhere in the settings menu I believe.

Other than that, here's the general sequence of calls my code makes, and it seems to work fine on iPhones and Droids

Code: Select all

char* buffer = "MyCookieV1=blahblahblah "; // Trailing space at the end for some reason - probably a typo in my code, but maybe important?
SendHTMLHeaderWCookie(sock, buffer);
SendFileFragment("redirect.htm", sock);

[dciliske]

Hmm... I can take a guess that may point you in the right direction. My guess is that you're sending a bare bones cookie that for various reasons is being rejected by the iOS browser (is that Safari?). Now, my guess is that you're sending a bare minimum cookie that exists of only the 'Name=Value' form the Netburner (this is what I would probably do, until proven wrong). There's a few things I'd suggest adding to your cookie string:

1. 'Expires' or 'Max-age' token.
2. A 'Domain' token. If the device is being accessed by its IP address, this is simply the IP address; if it's being accessed by DNS, you'll need to be able to either set a 'hostname', or look for the 'Request-URL' in the http request and parse out the domain from that.
3. If the page/site in question is being served up over SSL, the browser may required the cookie to be marked 'Secure'.

You probably also want to look at RFC 6265, specifically the section on Server Requirements (if you haven't already). It might also interest you to take a look at RFC 1945, which defines the HTTP/1.0 standard (note: the Netburner webserver only supports HTTP/1.0).

Last, as a side note, 'SendHTMLHeaderWCookie' is defined as the following:

Code: Select all

void SendHTMLHeaderWCookie( int sock, char *cookie )
{
   writestring( sock, "HTTP/1.0 200 OK\r\nPragma: no-cache\r\nSet-Cookie: " );
   writesafestring( sock, cookie );
   writestring( sock, "\r\nContent-Type: text/html\r\n\r\n" );
}

-Dan

[clemieux]

Thank you both for the responses. I have definitely confirmed the browsers (Opera, Chrome and Safari) are permitting cookies - so this would certainly lead to an implementation issue. Dan, you're correct that I'm sending a barebones cookie but the 'value' portion of the cookie is strictly the IP address of the device. This is not a secured website, so I don't believe it to be associated with SSL.

I'll dig a bit further and see what I uncover. Thank you both for the code fragments.

-Chris

[clemieux]

I've noticed that when my users have problems storing cookies on their iPhones it's usually that the phone itself is set to disallow cookies. I don't have one myself so I can't remember where that option is, somewhere in the settings menu I believe.

Other than that, here's the general sequence of calls my code makes, and it seems to work fine on iPhones and Droids

Code: Select all

char* buffer = "MyCookieV1=blahblahblah "; // Trailing space at the end for some reason - probably a typo in my code, but maybe important?
SendHTMLHeaderWCookie(sock, buffer);
SendFileFragment("redirect.htm", sock);

dpursell, have you confirmed this approach to definitely work for you on an iPhone/iPad? Are you including several tokens in your cookie string as Dan was suggesting? Thanks!

[dciliske]

Also, thinking about it, you shouldn't have spaces in any 'value' portion of any http communication ever; they do have special meaning. If you must send a space, always escape it ('%20', if I recall correctly). So, if you haven't already strip it out and see what happens.

-Dan

[dpursell]

I've noticed that when my users have problems storing cookies on their iPhones it's usually that the phone itself is set to disallow cookies. I don't have one myself so I can't remember where that option is, somewhere in the settings menu I believe.

Other than that, here's the general sequence of calls my code makes, and it seems to work fine on iPhones and Droids

Code: Select all

char* buffer = "MyCookieV1=blahblahblah "; // Trailing space at the end for some reason - probably a typo in my code, but maybe important?
SendHTMLHeaderWCookie(sock, buffer);
SendFileFragment("redirect.htm", sock);

dpursell, have you confirmed this approach to definitely work for you on an iPhone/iPad? Are you including several tokens in your cookie string as Dan was suggesting? Thanks!

I am sure that our program works for iPhones, but I don't think we've ever tried an iPad. I'm just doing the basic <name>=<value> cookie, nothing fancy. Here's what Chrome says is in my cookie (from a desktop computer):

Name: KGCookieV1
Content: tae8REPrbfQLxXDXMP2FMN+uspk=ZHB1cnNlbGwA
Domain: 192.168.90.10
Path: /
Send for: Any kind of connection
Accessible to script: Yes
Created: Wednesday, August 21, 2013 11:56:25 AM
Expires: When the browsing session ends

My content is a couple Base64-encoded strings, which is why is looks like garbage (and actually that '=' character in there is probably not optimal since that is the name/value separation character), but it seems to work on iPhones. If I can track someone down who owns one I'll see if I can look at the cookie contents from their phone.

My NetBurner is hardcoded to a certain IP, so if yours is not maybe the problem has to do with the domain token that Dan mentioned.

-David

[clemieux]

Good stuff! Thanks David - I'll do some digging this evening.

-Chris

[clemieux]

Well, it didn't take long to fix the issue once I saw your example! Turns out I was storing nothing more than the 'value' portion of the standard name/value pair representing the cookie. So, rather than something like "MyCookieV1=blahblahblah" it was simply "blahblahblah" - no name at all! How this was working in browsers on other platforms outside of smartphones and tablets, I'm not sure. I suppose things are more forgiving in those environments.

Nonetheless - NEED THAT NAME, and things will work just fine.

Thanks much!

-Chris