Geek Answers Handbook

IOS periodically sends old cookies

I have an application that regularly changes auth token cookie values.

Each time the server rotates the token, it will not mark it as β€œgood” until it sees that the client has a token (the reason that the client includes it in the request headers for the resource).

I have a very specific situation ONLY on iOS (10.3), where it sporadically sends a very old cookie when network conditions change (for example: exit the metro). When this condition strikes, it β€œforgets” the most recent cookie value and β€œstarts living in the past” and sends the old value.

log

** Security note: IP addresses are publicly allocated by t-mobile in New York, and the token has long been removed from our database

  • Is this a known issue?
  • Are there any ways to bypass cookies that are more reliable for iOS? localstorage is not ideal because these cookies are only http.

To clarify ... this is a thread:

  • The client (iOS Safari) has a cookie called _t with a value of old
  • Client (iOS Safari) makes a request to the server
  • We release Set-Cookie and set _t cookie to the new value new (only http, secure cookie)
  • The client makes another request with a new cookie value new . We note that the cookie value is good and the client has it.
  • Time
  • The client sends a request with the _t file with the value old
+8
authentication ios cookies mobile-safari sfsafariviewcontroller
source share
4 answers

Safari View Controller no longer uses cookies with Safari on iOS 11 and above, this change resolved the corruption issues in the cookie store that plagued iOS. We have not encountered this problem since the release of iOS 11.

0
source share

Here is my theory of what happened:

From the cookie life cycle, each time the user authentication state changes (login user β†’ logout user user logout user β†’ login user), the old cookie will be canceled and replaced with a new cookie.

But why did this happen in the subway, and not in other places?
1. These days, most metros provide free, unsecured WiFi to complement poor wireless network connectivity while the metro.
2. In 10.3 some messages were published about the problem of connecting to the network, and this one , in particular, is interesting, since the problem was location dependent .
3. I think that the combination of (1) and (2) above made the application re-authenticate with the server. Maybe you could pull out the logs to check if this is true?

Possible workaround?

Maybe not.
We cannot stop iPhone users from updating iOS. And most have already been.
In addition, the security impairment of non-changing cookies after re-authentication is worse.


Update based on the comment dated 05/31/2017:


Given the details, as in the comments. We could have a better explanation.

In the cookie life cycle, when the user logs out, server-side-invalidation should take place.

Work Stream:
1. When the user logout , authenticated sessionID will be deleted from the browser.
2. But this is not enough. The server needs to invalidate that sessionID too. Otherwise, there may be safety implications.
3. Perhaps in your case the server did not invalidate. That way, he is still expecting a sessionID that was deleted from the browser .

This is just one possible explanation. To be precise, a more detailed analysis of the log file and an additional experiment will be required.

For example, during this period, a reauthentication occurred in the server log?
Can we check in a controlled environment if server-side-invalidation was implemented correctly?

+3
source share

My experience

I also use authentication through identifiers, which change with each request and are stored in cookies. I can confirm this behavior, and it is still present in iOS 11 (and iOS 11.1 beta 3). In my log files, I see that sometimes old cookies are accidentally stored in Safari. This happens in a standalone webapp when it is closed and reopened.

My recovery method

I built a backup method for localStorage. A request with an old cookie usually puts all the data in my database as invalid. If the user agent points to an iOS device, I do not put the data as invalid and give the client a second authentication attempt.

On the client side, I check localStorage and create new cookies with this data. Subsequently, a new authentication occurs. LocalStorage is rewritten as cookies with each request. If authentication is completed again, I mark the data as invalid.

0
source share

SQLite database if you are willing to sacrifice a little value.

-2
source share

More articles:


All Articles