Play sesion cookie not sent by Safari

155 views
Skip to first unread message

jmay...@eco2market.com

unread,
Jan 10, 2013, 5:55:57 AM1/10/13
to play-fr...@googlegroups.com
Hi,

I have a single page application (SPA) on a domain a.domain.com  (http)  that connect to an api on b.otherdomain.com (https) build in Play 2 (scala).

After the loading of the SPA, the user enter is credentials and the app make an ajax call to https://b.otherdomain.com.com/login.
The /login set the Play cookie and the following request are well authenticated.
Everything works on Chrome and Firefox (not IE because of CORS restrictions). It shoiuld work on Safari but after the /login call, the cookie is not sent back with the following requests, so play returns "401 not authorized" responses. 
Is this a bug or a misconfiguration on my server side ?
Do I have to change application.session.httpOnly and application.session.secure ? 

Here is what I see from the Safari inspector :

  • /login headers :
  1. URL de la requête:
    https://b.otherdomain.com//login
  2. Méthode de la requête:
    POST
  3. Code d’état:
    200 OK
  4. En-têtes de requêteafficher la source
    1. Accept:
      application/json, text/plain, */*
    2. Content-Type:
      application/x-www-form-urlencoded
    3. Origin:
    4. Referer:
      http://a.domain.com/
    5. User-Agent:
      Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
  5. Données du formulaireafficher l’URL codée
    1. email:
    2. password: foofoo
  6. En-têtes de réponseafficher la source
    1. Access-Control-Allow-Credentials:
      true
    2. Access-Control-Allow-Origin:
    3. Connection:
      keep-alive
    4. Content-Length:
      31
    5. Content-Type:
      text/plain; charset=utf-8
    6. Set-Cookie:
      PLAY_SESSION=a71f93e3315fa9164dd7112841ccdb4a0f0c447b-sessionId%3A6gtu7%21z.5i%218d%29v8yxy693n-s6zsuejpav_p67f9hb%7Ej%274h2de*jx3g35p%7Egzo0u;Path=/;HTTPOnly
    7. Strict-Transport-Security:
      max-age=31536000
  • following request :
  1. URL de la requête:
  2. Méthode de la requête:
    GET
  3. Code d’état:
    401 Unauthorized
  4. En-têtes de requêteafficher la source
    1. Accept:
      application/json, text/plain, */*
    2. Origin:
    3. Referer:
    4. User-Agent:
      Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
  5. En-têtes de réponseafficher la source
    1. Access-Control-Allow-Credentials:
      true
    2. Access-Control-Allow-Origin:
    3. Connection:
      keep-alive
    4. Content-Length:
      24
    5. Content-Type:
      text/plain; charset=utf-8
    6. Strict-Transport-Security:
      max-age=31536000

Thanks for your help

Pyppe

unread,
Jan 10, 2013, 4:04:29 PM1/10/13
to play-fr...@googlegroups.com
This is a restriction of Safari not allowing cross-domain cookies; see e.g. http://stackoverflow.com/questions/408582/setting-cross-domain-cookies-in-safari
Reply all
Reply to author
Forward
0 new messages