I've recently been porting a Chrome extension to Safari, and encountered this kind of error (bug, feature, etc.)
So, in global page i have a XMLHTTP request to a secure page which is available only after you login.
Example:
- I simply login using browser - as usually you do on facebook or other secure pages
- After that, in global page, I load a login-only-available xmlhttp - and it says i'm not logged in
it seems that global page somewhat has it's own cookies, so a secure page thinks i'm new
ps: in Chrome i can load that page and it thinks i'm acting on behalf of logged in user, so i guess there are some restrictions in Safari
pps: i heard there's a Block third-party cookies option in Safari, but even if i checked it to "Never block" it still doesn't work
I've recently been porting a Chrome extension to Safari, and encountered this kind of error (bug, feature, etc.)
So, in global page i have a XMLHTTP request to a secure page which is available only after you login.
Example:
- I simply login using browser - as usually you do on facebook or other secure pages
- After that, in global page, I load a login-only-available xmlhttp - and it says i'm not logged in
it seems that global page somewhat has it's own cookies, so a secure page thinks i'm new
ps: in Chrome i can load that page and it thinks i'm acting on behalf of logged in user, so i guess there are some restrictions in Safari
pps: i heard there's a Block third-party cookies option in Safari, but even if i checked it to "Never block" it still doesn't work
Share Improve this question asked Jul 25, 2011 at 12:43 Alex KAlex K 7,2179 gold badges43 silver badges64 bronze badges 10- Yes, I stuck with the same issue, and noticed it is reflecting after some seconds. Have you been able to solve this issue? – ManojMarathayil Commented Feb 7, 2012 at 13:48
- 1 nope, there's an official bug filed in Mac support... but i still don't know if it's fixed. I had to reject supporting of Safari for this project i'm doing :( – Alex K Commented Feb 7, 2012 at 19:42
- Ok, Can you share the mac support link? – ManojMarathayil Commented Feb 8, 2012 at 4:43
- What sets the cookie? If it is PHP, then it could be that the cookie is being set securely and/or as HTTP only (see php/setcookie), and is therefore not sent back by JavaScript/AJAX. – Ashley Strout Commented Feb 9, 2012 at 21:36
- @David, it's an extension, and if you have read my question you should notice that Chrome works as it should – Alex K Commented Feb 13, 2012 at 19:03
4 Answers
Reset to default 3Unfortunately the problem is still existent in safari 5.1.7 windows version.
I've found a workaround to pass login credentials (username/password pairs) to the global page using message passing and global page use them to login silently.
I had that problem with Safari 5.1.2 for Windows, but after upgrading to the current version (5.1.7) the problem disappeared. Maybe they fixed it on some intermediate version. It is also working for me on a Safari 5.1.3 for Mac OS X.
Cookies can optionally be marked as either HttpOnly or Secure. If it's not passing them across, you are probably trying to access a HTTP resource on the same site from the HTTPS post-login landing page, so the browser won't allow the secure cookie to be sent over a non-secure link. Effectively, the HTTP and HTTPS sites are being treated as separate.
You either need to make sure that after login, you get the browser redirected to HTTP and set a HttpOnly cookie, or just do the XMLHttpRequest over HTTPS. This would be more secure and doesn't really add much server overhead (it used to when hardware was slow, but Google say that when Gmail went over to using HTTPS as a default, it didn't impact on server load more than a couple of percent).
Try setting the entire site to run over HTTPS and see if that fixes it. Also, use firebug and the firecookie extension to see whether the cookies have either of these options enabled (right hand two columns).
Cookies must not be "Session cookies", they must be persistent. Set expiration date.
It needs to be done on server-side. In example, for Node.js/Express something like this:
var session = require('cookie-session');
…
var cookieExpires = new Date();
cookieExpires.setDate(cookieExpires.getDate() + 1); // Set 1 day cookie lifetime
…
app.use(
session({
…
name: 'session',
expires: cookieExpires
}))
…