15

I have noticed that the HTML5 video/audio player (AppleCoreMedia) on mobile Safari on iOS 7 excludes all cookies, even first-party cookies. Not even sessions cookies are included in the HTTP-header. This makes it impossible to relay on cookie authorization when playing a video clip in mobile Safari on iOS 7.

All cookies are included correctly running iOS 6 but on iOS 7 no cookies are included in the HTTP-header of AppleCoreMedia.

Can some one else confirm this issue on iOS 7?

Steps to reproduce is:

  1. Create a cookie on a web page.
  2. Play a HTML5 video clip on the same web page using mobile Safari in iOS 7.
  3. Check the server logs for AppleCoreMedia and look for the cookie.

Update 2016-09-20: The video player in iOS 10 (AppleCoreMedia) is not able to read session cookies. Only cookies set with an expire date is readable by the video player.

Kalle
  • 610
  • 7
  • 14
  • 1
    This question appears to be off-topic because it is an iOS bug report, not a programming problem. – Esoteric Screen Name Nov 14 '13 at 22:14
  • 1
    Customer with 7.0.3 had the problem. And now with 7.0.4 continues with the problem. – graffic Nov 15 '13 at 15:26
  • 1
    Still seeing this issue in 7.0.4. Is there a public issue for this that I could comment on/track? – Jordan Eldredge Nov 24 '13 at 18:43
  • 1
    @JordanEldredge I have submitted to Apple and to OpenRadar (not my proudest moment in bug reporting but...): http://openradar.appspot.com/radar?id=5238098090786816 – lemonad Nov 24 '13 at 22:28
  • 2
    This issue seems to be back in iOS10 :-( – moloko Sep 29 '16 at 10:49
  • Yeah, we are also seeing this. Our 10.0 and 10.1 users have problems with streaming certain resources, while it works great on 9.3 and 10.2. We can reproduce the streaming problems on 10.0 and 10.1, but the strange thing is that it works occasionally, like 5% of the times we attempt to stream. And most resources stream perfectly well. – Daniel Saidi Jan 10 '17 at 08:16

9 Answers9

12

For iOS10, if you respond with a 403 forbidden, AppleCoreMedia will somehow try again but this time with the missing cookies. If you have code that redirects to login page when the session cookie is missing, video will not work on iOS 10.

Henry Yang
  • 155
  • 1
  • 6
  • 1
    This fixed iOS bug. Yet I am very interested to understand why iOS has implemented this feature. It clearly is not a bug. They do that on purpose! But why? – 0xDEAD BEEF Oct 26 '16 at 10:43
  • Apple seems to have fixed it in iOS 10.2 – Henry Yang Dec 21 '16 at 21:10
  • On the second request, the cookies are stilling missing for me. On latest version of PS4 default browser (seems to have same issue). `AppleWebKit/605.1.15 (KHTML, like Gecko) libhttp/6.20 (PlayStation 4)` – JBis Dec 31 '18 at 20:44
3

I have developed a simple test where you can check if your iOS device have this bug.

Read more about the test here!

Kalle
  • 610
  • 7
  • 14
3

The bug continues to exists in iOS 7.1

Obviously Apple is ignoring this bug and I can not understand why since it affects so many users.

I have been running some tests on a iOS 7.1 device that had this problem and it is pretty clear that the bug is related to the private browsing feature. Turning private browsing on and then off fixes the problem on the device.

Kalle
  • 610
  • 7
  • 14
2

I'm still seeing problems with iOS 7.0.4, unfortunately. Is the below consistent with what you're seeing or is this perhaps another type of issue?

My test server is running Moodle on Apache and one user can consistently replicate this with two iPads on iOS 7.0.4. The HTTP 407s in the logs below is a Moodle thing. As you can see the cookie is not sent with the range requests:

access_log:

xxx.yyy.zzz.227 - - [22/Nov/2013:23:11:18 +0000] "GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1" 200 3711807 "http://xyz.bitnamiapp.com/mod/videofile/view.php?id=2" "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53"
xxx.yyy.zzz.227 - - [22/Nov/2013:23:11:19 +0000] "GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1" 407 12818 "-" "AppleCoreMedia/1.0.0.11B554a (iPad; U; CPU OS 7_0_4 like Mac OS X; en_us)"
...

forensic_log:

+Uo-kj38AAAEAAH0O5MEAAAAJ|GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1|Host:xyz.bitnamiapp.com|Referer:http%3a//xyz.bitnamiapp.com/mod/videofile/view.php?id=2|Accept-Encoding:gzip, deflate|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-us|Cookie:MoodleSession=24gkspshgl8027k3l7p2cor631|Connection:keep-alive|DNT:1|User-Agent:Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
+Uo-kkH8AAAEAAB2cL4IAAAAA|GET /pluginfile.php/21/mod_videofile/videos/0/trailer_test.mp4 HTTP/1.1|Host:xyz.bitnamiapp.com|Range:bytes=0-1|X-Playback-Session-Id:DF1039A4-571B-4EB8-BFFB-EF07CD730CA2|Accept-Encoding:identity|Accept:*/*|Accept-Language:en-us|Connection:keep-alive|User-Agent:AppleCoreMedia/1.0.0.11B554a (iPad; U; CPU OS 7_0_4 like Mac OS X; en_us)
-Uo-kj38AAAEAAH0O5MEAAAAJ
-Uo-kkH8AAAEAAB2cL4IAAAAA
...
lemonad
  • 4,148
  • 26
  • 27
  • 1
    You are correct! It seems like this bug still exists for a lot of users running iOS 7.0.4 – Kalle Nov 24 '13 at 13:14
  • Correct me if I'm wrong. What I see there is a second request without a moodle cookie needed to see the video. – graffic Nov 29 '13 at 11:33
  • @graffic Some guesswork here but I *think* the first request might be for the browser to pick up the media file header or similar. The logs say 3711807 bytes but I'm pretty sure it doesn't read all of it. The second request with the missing cookie seem to be from the iOS video player. Since the cookie isn't set, Moodle replies with 407 in order to try to stop more incoming range requests instead of loading parts of the login page a hundred times. Is that what you mean or am I perhaps drawing the wrong conclusion somewhere? – lemonad Nov 29 '13 at 13:51
  • 1
    I have news from my site: AppleCoreMedia doesn't send the cookies. But one of my mates found that turning the iPad safari into private mode, and then back to normal, fixed it for him. Go figure. – graffic Dec 03 '13 at 15:14
  • @graffic That sounds great! I'll write back when I know if it worked or not. Thanks! – lemonad Dec 03 '13 at 20:17
  • @graffic Yes, it actually seem to work! Great detective work : ) – lemonad Dec 04 '13 at 20:55
  • It works for you too? Good news! Anyone else having the same good results? – graffic Dec 05 '13 at 12:32
  • 1
    If so, then it should be easy for Apple to fix the bug. Ask your friends and colleagues to run my tests on https://www.bizify.me/test-if-your-ios-device-is-broken/ and if they can not play the video correctly, ask them to switch the "private mode" back and forth. – Kalle Dec 07 '13 at 13:34
1

Using iOS 7.0.2, I am seeing cookies included in the request. Here's my user agent header:

User-Agent: AppleCoreMedia/1.0.0.11A501 (iPad; U; CPU OS 7_0_2 like Mac OS X; en_us)
Shawn Grunberger
  • 11
  • 1
  • Thank you very much Shawn for confirming this bug is fixed in for AppleCoreMedia/1.0.0.11A501, the video player included with iOS 7.0.2 – Kalle Oct 09 '13 at 06:57
  • I know for sure that this bug exists for AppleCoreMedia/1.0.0.11A465, the video player included with iOS 7.0.0 but I do not know if the bug is fixed in iOS 7.0.1 – Kalle Oct 09 '13 at 07:04
  • I've now got a few friends with iOS 7.0.2 to visit a web page I set up to investigate this bug and I see clearly that the cookies do not work in AppleCoreMedia/1.0.0.11A501 if the visitor is using Safari. So I am a little puzzled that you Shawn writes that cookies work in AppleCoreMedia/1.0.0.11A501. But I have also discovered that cookies works well in AppleCoreMedia/1.0.0.11A501 if the user visits the website via uiwebview (for example via the Facebook app). Maybe this problem is related to the Nitro engine in Safari? The Nitro engine is not used in uiwebview. – Kalle Oct 09 '13 at 08:17
  • Kalle, I tested with Safari, not a webview. My test was different in one respect, however: I used an HTML5 audio stream, not video. It shouldn't matter, but it might be worth checking. If that doesn't explain it, would you post your test page so I can try it? – Shawn Grunberger Oct 16 '13 at 20:38
  • we are experiencing no cookies in 7.0.3, but 7.0.2 seems to work. not sure if this is a bug or security issue. we have had to resort to a patch of altering the URL to pass in session information which is something we really don't like doing, but we validate the media url from the session so we had to figure out some workaround – Jason Oct 23 '13 at 19:28
  • @Jason I can't reproduce it myself but in the web server logs (mod_forensics), I see iOS7.0.3 video requests without cookies. I'm also seeing it with iOS6.1.3 so maybe I'm up against a completely different problem. Did you ever figure out anything on why sometimes cookies are included and sometimes not? The weird thing is that one user can reproduce this bug (?) with all his iOS devices and I can't reproduce it with any of mine. – lemonad Oct 31 '13 at 14:46
  • Jason, I fully agree with what you write. It is really weird that for some users cookies works without problem regardless what iOS version the user is running and for other users cookies does not work at all. There is no common denominator, which makes it extremely difficult to debug. It is only Apple them self that can debug this issue. I've filed a bug report but it is doubtful whether it has even caught the attention of Apple and I do not know how to make Apple aware of this serious problem. It breaks a lot of sites that relies on cookie authentication for their video and audio clips. – Kalle Oct 31 '13 at 22:37
1

This problem is not yet fixed by Apple. We are continuously receiving reports from our users running iOS 7.0.6 that they are not able to play video clips because no cookies are included in the header.

And for many users, turning safari into private mode, and then back to normal, does not fix the problem.

I have also noted that Dropbox wrote in their blog that they have reverted back to url token authenticating because of problems of these kind with video players.

Apple is continuously ignoring our bug report so this bug will probably not be fixed for a long time.

Kalle
  • 610
  • 7
  • 14
1

I'm hearing on the grapevine that iOS 10.2 will contain a fix for this problem

moloko
  • 423
  • 4
  • 8
  • I hope you're grapevine is right! I see [https://en.wikipedia.org/wiki/IOS_version_history](10.2 Beta 3) is available, but there's no list of bug fixes in the notes. How long does it usually take between a Beta and stable release? – Rick Nov 23 '16 at 01:12
  • 1
    EDIT: I heard from someone with a friend at Apple who said the stable iOS 10.2 version is due mid-December 2016. – Rick Nov 23 '16 at 04:03
  • Nope no fix yet. Still having this problem. – Rothrock Feb 02 '17 at 00:06
1

I had the similar issue with Safari. I was using <audio> tag inside the html loaded by jquery. Safari did not include cookies in the request for the audio source, therefore it did not load properly. But somehow it worked after I refreshed the page with CTRL+F5 - it sent cookies with this total reload...

I solved it by adding crossorigin="use-credentials"... Nasty problem.

Jakub
  • 285
  • 4
  • 21
0

I had similar problems with cookies on iOS 7.0.3, but they are fixed now with iOS 7.0.4. Let's hope it stays this way.

juhovh
  • 927
  • 6
  • 13