开发者

Safari extension cookies not recognized/passed

I've recently been porting a Chrome extension to Safari, and encountered this kind of error (bug, feature, etc.)

So, in global page i have a XMLHTTP request to a secure page which is available only after you login.

Example:

  1. I simply login using browser - as usually you do on facebook or other secure pages
  2. After tha开发者_C百科t, in global page, I load a login-only-available xmlhttp - and it says i'm not logged in

it seems that global page somewhat has it's own cookies, so a secure page thinks i'm new

ps: in Chrome i can load that page and it thinks i'm acting on behalf of logged in user, so i guess there are some restrictions in Safari

pps: i heard there's a Block third-party cookies option in Safari, but even if i checked it to "Never block" it still doesn't work


Unfortunately the problem is still existent in safari 5.1.7 windows version.

I've found a workaround to pass login credentials (username/password pairs) to the global page using message passing and global page use them to login silently.


I had that problem with Safari 5.1.2 for Windows, but after upgrading to the current version (5.1.7) the problem disappeared. Maybe they fixed it on some intermediate version. It is also working for me on a Safari 5.1.3 for Mac OS X.


Cookies can optionally be marked as either HttpOnly or Secure. If it's not passing them across, you are probably trying to access a HTTP resource on the same site from the HTTPS post-login landing page, so the browser won't allow the secure cookie to be sent over a non-secure link. Effectively, the HTTP and HTTPS sites are being treated as separate.

You either need to make sure that after login, you get the browser redirected to HTTP and set a HttpOnly cookie, or just do the XMLHttpRequest over HTTPS. This would be more secure and doesn't really add much server overhead (it used to when hardware was slow, but Google say that when Gmail went over to using HTTPS as a default, it didn't impact on server load more than a couple of percent).

Try setting the entire site to run over HTTPS and see if that fixes it. Also, use firebug and the firecookie extension to see whether the cookies have either of these options enabled (right hand two columns).


Cookies must not be "Session cookies", they must be persistent. Set expiration date.

It needs to be done on server-side. In example, for Node.js/Express something like this:

var session = require('cookie-session');
…
var cookieExpires = new Date();
cookieExpires.setDate(cookieExpires.getDate() + 1); // Set 1 day cookie lifetime
…
app.use(
    session({
        …
        name: 'session',
        expires: cookieExpires
    }))
…
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜