`withCredentials` flag gets ignored on iOS
See original GitHub issueIs this a bug report?
Yes
Have you read the Bugs section of the Contributing to React Native Guide?
Yes
Environment
react-native -v
: 0.46
Then, specify:
- Target Platform: iOS
- Development Operating System: macOS
- Build tools: Xcode
Description
In react-native@0.44
, a flag withCredentials
was introduced. In react-native@0.46
, the behaviour was unintentionally changed by this commit: 047961fbf77cb012b53978184102e8ca3d00c7ec
withCredentials = true
translates to HTTPShouldHandleCookies = YES
in native code. After the commit that I linked above, the Cookie
header gets set explicitly, which overrides any behaviour set by HTTPShouldHandleCookies
.
Steps to Reproduce
Make a fetch
request with the flag withCredentials: true
.
Expected Behavior
The flag gets respected.
The cookie header only gets set explicitly if withCredentials = false
Actual Behavior
The flag gets overridden.
Reproducible Demo
Hard to make a demo, but the bug can be proven with the Apple documentation:
If your app sets the Cookie header on an NSMutableURLRequest object, then this method has no effect, and the cookie data you set in the header overrides all cookies from the cookie store.
Here you can see that HTTPShouldHandleCookies
is being set based on the withCredentials
flag.
Here you can see that the Cookie
header is being set explicitly, which takes precedence over HTTPShouldHandleCookies
.
Related issues
- withCredentials flag in XHRs should default to “true” #14063
cc
Issue Analytics
- State:
- Created 6 years ago
- Reactions:11
- Comments:10 (5 by maintainers)
Top GitHub Comments
Any news or progress on this? 😃
I raised some concerns in https://github.com/facebook/react-native/pull/14931#issuecomment-318149698, which contains the proposed fix.
I’m not sure if I’m clear on precisely what behavior you’re expecting. Specifically, when you use
withCredentials: true
are you finding that the value of theCookie
header in the resulting request is missing some cookies? Or is it thatSet-Cookie
response headers aren’t being respected.I expect that the problem may be that cookies are missing, because the changes in 047961fbf77cb012b53978184102e8ca3d00c7ec switched to a different cookie jar. Understandably, this would be bad for existing users, who could potentially be logged out through the loss of the cookies that were set before that change. However, I’d like clarification from those of you who are affected, since I’m afraid #14931 may have the wrong fix.