ansaurus

Question

Safari doesn't set Cookie but IE / FF does.

Answer 1

+5 A:

It looks like you hit a Safari bug here; you are redirecting any visiting browser to /entry while setting the cookie at the same time, and Safari is ignoring the Set-Cookie header when encountering the 302 HTTP status:

$ curl -so /dev/null -D - http://4much.schnickschnack.info/
HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.61
Date: Sun, 19 Jul 2009 12:20:49 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 14260
Content-Language: de
Expires: Sat, 1 Jan 2000 00:00:00 GMT
Location: http://4much.schnickschnack.info/entry
Set-Cookie: colorstyle="bright"; Path=/; Expires=1248092449.12
Set-Cookie: _ZopeId="73230900A39w5NG7q4g"; Path=/

Technically, this would be a bug in Apple's Foundation Classes, I've found a WebKit bug that states this is the case.

I suppose the workaround is to set the cookie not in index_html but in entry instead.

Martijn Pieters 2009-07-19 12:33:45

Thanks for the good explication, Martjin! I have put the code into the /entry. Now it works. THX!

Gomez 2009-07-22 17:48:58

Answer 2

+1 A:

A month ago, I ran into this issue. At first I thought it was a corrupted cookie jar as I could clean out the cookies and go.

However, it popped up again. This time I spent an hour going through it, watching what was sent, reviewing what safari sent back, and I found the problem.

In this case, I had an array of cookie values being sent to the browser after login prior to the redirect. The values looked something like 'user id', 'user full name', 'some other id', etc.

( yes, the id's are encrypted so no worries there )

My user full name was actually in a <lastname>, <firstname> format.

When safari was posting the cookie back to the server, everything after the comma after the lastname was dropped. It was only posting back values up to that point.

When i removed the comma the rest of the values started working just fine.

So it appears that if you send a cookie value that contains a comma, then safari doesn't properly escape that in it's internal storage. Which leads me to think that if they aren't properly escaping commas, then there are probably some security issues with safari's cookie handling code.

Incidentally, this was tested on Win 7 x64 with safari 4.0.5. Also I put up a web page at: http://cookietest.livelyconsulting.com/ which shows this exact problem. IE, FF, and chrome all correctly set the cookie. safari does not.

Chris Lively 2010-05-06 16:00:51

Chris: your issue is completely parser related. It has to do with how CFNetwork coalesces the Set-Cookie headers into one Set-Cookie header during HTTP parse time. Generally, Duplicate HTTP Headers can be coalesced into one header using a ', ' delimiter. Unfortunately, Set-Cookies has been an historically broken header. This was discussed at a recent IETF meeting. There is no issue with the internal representation of the cookies.

Mark Pauley 2010-07-06 23:45:54

@Mark Pauley: Glad to see an apple dev actively talking about how safari handles cookies. I ran across some of your correspondence at http://www.ietf.org/mail-archive/web/http-state/current/msg00645.html I think the fact that safari is the only browser exhibiting this breaking behavior is reason enough to pull the feature.

Chris Lively 2010-07-07 00:34:29

ansaurus

tags:

views:

answers:

Safari doesn't set Cookie but IE / FF does.

related questions