Understanding iOS Cookie Accept Policy

16
votes

The Apple docs about the cookie accept policy for NSHTTPCookieStorage are confusing.

This is what the docs say:

NSHTTPCookieStorage implements a singleton object (shared instance) that manages storage of cookies. Each cookie is represented by an instance of the NSHTTPCookie class. As a rule, cookies are shared among all applications and are kept in sync across process boundaries. Session cookies (where the cookie object’s isSessionOnly method returns YES) are local to a single process and are not shared.

iOS Note: Cookies are not shared among applications in iOS.

Note: Changes made to the cookie accept policy affect all currently running applications using the cookie storage.

And the following about - (void)setCookieAcceptPolicy:(NSHTTPCookieAcceptPolicy)aPolicy

The default cookie accept policy is NSHTTPCookieAcceptPolicyAlways. Changing the cookie policy affects all currently running applications using the cookie storage.

Now my first thought was if an app was to call setCookieAcceptPolicy, the change would affect other running applications. This does not appear to be the case. Calling setCookieAcceptPolicy will only affect the app which called it.

The only cookie policy which applies to all running applications is the Safari one. In iOS 7 before an app calls setCookieAcceptPolicy, it uses the safari policy. So if the safari cookie policy is set to always block, then any app won't be able to use cookies until it sets its own cookie policy. I understand this has caused issues for a lot of apps since iOS 7 came out.

Is my observation correct about all this, or have I missed something?

Edit

I've raised a bug with Apple and waiting to hear back from them now.

2
ioscookies
I am not able to reproduce this issue. I am using an iPod with iOS 7.0.4. After I have set the cookie policy in the Safari setting to always block and restarted my app which does not set any cookie accept policy, the cookie accept policy is still NSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomain.user3325087

2 Answers

14
votes

I've run some tests on my app and found that on iOS 7, the default cookie policy for apps is set to Safari's cookie policy. Changing the cookie policy in Safari, killing, and then restarting my apps, also would change the cookie policy in my apps. Adding the following line to my each of my apps:

[[NSHTTPCookieStorage sharedHTTPCookieStorage] setCookieAcceptPolicy:NSHTTPCookieAcceptPolicyAlways];

Would change my apps accordingly, but not have any effect on Safari. Also, changing one app did not seem to affect any other of my apps.

0
votes

Your observation seems to hold on 8.4 also Fortunately, starting from 7.0 it can be changed on a per session basis:

NSURLSessionConfiguration *configObject = [NSURLSessionConfiguration ephemeralSessionConfiguration];
if(configObject.HTTPCookieAcceptPolicy != NSHTTPCookieAcceptPolicyAlways) {
        NSLog(@"default cookie accept policy was %lu", (unsigned long)configObject.HTTPCookieAcceptPolicy );
        configObject.HTTPCookieAcceptPolicy = NSHTTPCookieAcceptPolicyAlways;
    }

Also the default on 9.0 seems to be NSHTTPCookieAcceptPolicyAlways so that you won't hit that "if" (in case you want to mark the feature in apple bugreporter closed and cement the issue here on s.o. also)

On 8.4 I get NSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomain, at least on ephemeral session. Safari cookie policy in my case is "Allow from Websites I visit". Not so subtly changing it to "Allow from Current Website Only" yields the very same NSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomain. as does setting it to "Always Block". Bottom line is that on ios 8 default is different from ios 9 and does not seem to be affected by the safari cookie policy chooser.