@Ricardo_Cruz I’m glad you said something as my suspicion was one of the latest Safari updates caused this and it’s been a royal pain since it happened.

Doing a quick search at Brave provided the following context (AI generated):

Safari Localhost Cookie Issues

Safari has a unique behavior when it comes to setting cookies on localhost. Unlike Chrome and Firefox, Safari imposes stricter policies, restricting the setting of cookies with the Secure attribute in local development environments.

Why is this a problem?

Cookies marked as Secure are essential for web security, as they instruct browsers to only send the cookie over HTTPS, preventing transmission over unencrypted HTTP. However, this security feature introduces complexities in environments not using HTTPS, such as local development setups.

Workaround: Remove the Secure attribute

To address the issue of Safari not setting cookies in a local development environment, a practical solution involves removing the Secure attribute from cookies. This allows cookies to be transmitted over HTTP, facilitating local testing without requiring an HTTPS setup. Note: This approach should only be used in development environments due to the security risks associated with transmitting cookies over unencrypted connections.

Best Practices

1. Use HTTPS in production environments: Ensure that your production environment uses HTTPS to maintain the security and integrity of cookies.
2. Configure environment-specific cookie settings: Use environment-specific configuration to omit the Secure attribute from cookies in local development environments and enforce it in production environments.
3. Test and debug locally: Use a local development setup with HTTPS (e.g., https://localhost) to test and debug your application, ensuring that cookies are set and transmitted securely.

Additional Insights

• Safari’s behavior is specific to its implementation and not documented by Apple.
• Other browsers, like Chrome and Firefox, exhibit more lenient behavior regarding cookie setting on localhost, allowing developers greater flexibility in testing and debugging.
• The strict handling of Secure cookies underscores the increasing emphasis on using HTTPS across the web, even in development environments.

By understanding Safari’s behavior and implementing best practices, you can ensure seamless cookie handling and maintain the security and integrity of your web application.

I had already stubbed out my debug build to set my cookies as Secure = False in the WebCookieManager a while ago but this doesn’t appear to help. Tonight I also tried setting HTTPOnly = True but this also didn’t help.

@Ricardo_Cruz Thoughts on where we can go next? Does HTTPS need to be added to debug builds, as much of a pain as this would be with a self-signed cert? Happy to put in a ticket for a feature request or bug fix here.

I’ve been so very tempted to switch over to Firefox instead for my debug testing but haven’t pulled the trigger yet.

3 posts - 2 participants

Read full topic