2
votes

I'm trying to set a cookie using PHP CROS-DOMAIN, meaning my JS is hosted in other domain, the JS call to PHP page which trying to set a cookie. It works in all browsers except to Safari in mobile (iPhone 6) The weird thing is that I can get to user cookies but not to set (sometimes it sets an empty cookie, with 0 bytes)

here is my code in the php file:

header('Access-Control-Allow-Origin: '.$origin);        
header('Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: X-Requested-With');
header('Access-Control-Max-Age: 1728000');
setcookie("display_session_id", "1234", time() + (60 * 43800), "/", '.mydomain.com', false);

I tried to put * instead the $origin but it wasn't work. Also I tried to put those declarations in my .htaccess but it wasn't work. Server: Apache PHP version: 5.4.45

here are the headers from Safari

1

1 Answers

3
votes

Safari now blocks almost all cross-domain cookies from unknown domains by default. What this means is this:

Main Site: example.com
Cookie Site: cookie.com

If the user goes to example.com and they've never been to cookie.com, Safari will not allow them to store a cookie for cookie.com. If the user goes to example.com and has previously been to cookie.com, Safari will allow the cookie no questions asked.

This is the default policy, however you should also be having issues with Safari on the desktop and Internet Explorer's new policy that messes with P3P.