[Android] Cookies are not persisted across network requests

[h87kg]

Hi,

When send a GET request, tell me to login, but it's really logged in. The issue only on Android.

[mkonicek]

Hey @h87kg, can you clarify "tell me to login"? Where are you sending a GET request? Can you share your code?

[h87kg]

1. logged in successfully after invoke new AccountService.login()
2. failed without authorization after invoke new FlightService().searchFlights()

class AccountService extends Service {
  login(username, password) {
    var formData = new FormData();
    formData.append('loginName', username);
    formData.append('pwd', password);
    return fetch(`${this.URL}/sme/employee/login.json`, {
      method: 'POST',
      body: formData,
    })
    .then(response => response.json());
  }
};

class FlightService extends Service {
  searchFlights(fromCity, toCity, depDate) {
    return fetch(`${this.URL}/sme/flight.json?depCityCode=${fromCity.flightCityCode}&arrCityCode=${toCity.flightCityCode}&depDate=${DateFilter.format(depDate, 'yyyy-MM-dd')}&forBusiness=Y&isCivilServants=N`)
    .then(response => response.json());
  }
}

[h87kg]

I found the second request didn't sent the cookie info, such as:

Cookie:      PHPSESSID=jciun1hfmsqcvivvpvdbd2adp2
Cookie2:     $Version=1

POST /sme/employee/login.json

sent:

Content-Length:  32
Content-Type:    application/x-www-form-urlencoded
Host:            
Connection:      Keep-Alive

received:

Server:             nginx/1.0.15
Content-Type:       application/json;charset=UTF-8
Transfer-Encoding:  chunked
Connection:         keep-alive
Vary:               Accept-Encoding
X-Powered-By:       PHP/5.4.37
Set-Cookie:         PHPSESSID=gsdv1qgf3togdmql26pkuesiv7; path=/
Cache-Control:      no-cache
Date:               Thu, 17 Sep 2015 11:57:02 GMT
Content-Encoding:   gzip

GET /sme/flight.json?depCityCode=BJS&arrCityCode=CTU&depDate=2015-09-18&forBusiness=Y&isCivilServants=N

sent:

Host:            
Connection:       Keep-Alive
Accept-Encoding:  gzip
User-Agent:       okhttp/2.4.0

received:

Server:             nginx/1.0.15
Content-Type:       application/json;charset=UTF-8
Transfer-Encoding:  chunked
Connection:         keep-alive
Vary:               Accept-Encoding
X-Powered-By:       PHP/5.4.37
Set-Cookie:         PHPSESSID=bu8drc39vp7rkr90j3i5eji7j1; path=/
Cache-Control:      no-cache
Date:               Thu, 17 Sep 2015 11:57:06 GMT
X-Debug-Token:      22f42f
Content-Encoding:   gzip

[mkonicek]

Thanks for the detailed report! I think @andreicoman11 might know about cookies.

[jhen0409]

Maybe and this related: https://github.com/github/fetch#sending-cookies

[mbrock]

credentials: 'same-origin' doesn't help on Android, but works fine on iOS.

This can be easily tested by requesting http://httpbin.org/cookies/set?foo=bar and then http://httpbin.org/cookies.

The Set-Cookie header is also hidden from the headers object so there seems to be no way of using cookies on Android.

[arsham-f]

I'm having this same issue. Apparently the network stack on iOS automatically retains the cookies, but Android doesn't. This is a pretty big showstopper because you can't keep any sessions with remote APIs.

[CCoffie]

+1

[mkonicek]

Looks like credentials: 'same-origin' should indeed work: https://github.com/github/fetch#sending-cookies.

The way the cookies are handled should probably respect the same origin policy? What does the spec say?

Might be just not implemented yet. Will check with @andreicoman11. Would be awesome if you can point to the Java file where we are not persisting the cookies :)

[dizlexik]

Yeah I agree with @arsham-f, this is a pretty big showstopper as I am working on a project right now with a requirement to use a session-based API.

I looked into it a bit and, likely naively, attempted to add cookie support in OkHttpClientProvider.java by adding:

CookieManager cookieManager = new CookieManager();
cookieManager.setCookiePolicy(CookiePolicy.ACCEPT_ALL);
sClient.setCookieHandler(cookieManager);

Didn't work, but maybe I was on the right track and someone can run with that.

[mkonicek]

Thanks for trying @dizlexik. I agree this is quite high-pri, hopefully we can find bandwidth to fix it soon or someone can send a PR.

[lexs]

I just landed 274c5c7 which should match iOS behavior (when we have WebView)

[andriniaina]

Hello, is this available in v0.15 or 16 ?

[ide]

It will be available in 0.17.

[mkonicek]

It made the 0.16 cut and I even cherry-picked it to 0.15, give it a try :)

See the history for the 0.15 branch:
https://github.com/facebook/react-native/compare/0.15-stable

[ide]

Oops didn't realize 0.16 was cut so recently.

[andriniaina]

I just tested it. It's working as expected. Thanks 👍 The bug was really a showstopper.

[johnckendall]

Should this solve the issue where the SESSION cookies aren't being sent back to the server? If so, it doesn't seem to be working for us...

Or maybe we don't understand the build process; is there some other step to rebuild for Android after upgrading to 0.15 (other than react-native run-android) ?

(a wireshark grab does show the JSESSIONID coming to the client but not getting returned on a subsequent GET)

(also, we verified that the new version of NetworkingModule.java is present)

[andriniaina]

I had the same issue at first when I tried to upgrade my project. But it worked after starting from a new project.

[eddiefletchernz]

Mine started working with session cookies straight away after upgrading.

Did you also run react-native upgrade after npm installing the new version?

Also make sure you are passing the option "credentials" to "same-origin" on all requests through fetch

See: https://github.com/github/fetch#sending-cookies

[szq4119]

https://github.com/szq4119/react-native-async-http

[johnckendall]

Thought I already replied but I don't see it so posting this FYI:
Thanks guys, after fulling upgrading the project and resolving issues this now appears to be working as it should.

Thanks for the fix!

[atom992]

@johnckendall which version of react-native are you upgrade?

[Brian-Kaplan]

@andreicoman11 @lexs I would like to use this feature but I do requests in both Java Android code and JS React Code.

Currently I'm able to use the CookieJar class with OkHTTP3 in Java to easily get and set cookies for me in Native Android code. i.e. Auth request gives me set cookies (automatically saved) and get request automatically adds the cookies as headers for me.

Is it possible that in JS code I can access that same CookieJar (using fetch API) without having to add a bridging wrapper class. It seems like there is no way to seamlessly persist cookies between JS and Java when using React Native. A friend of mine was able to easily do this on iOS

Here is a stack overflow post I made with more details
http://stackoverflow.com/questions/39861466/share-cookies-between-react-native-activity-and-native-android-activity-using-co

I opened a new issue
#10254