Fixed: Apps (Cordova/PhoneGap) targeting LOLLIPOP or later default to disallowing third party cookies



When I ported a Cordova app to Android 5 (Lollipop), I noticed, that the login does not work anymore. In prior versions of Android it works like a charm (app login is based on session cookies).

Part of the Android Lollipop changes:
Apps that target KITKAT or below default to allowing third party cookies. Apps targeting LOLLIPOP or later default to disallowing third party cookies.
https://developer.android.com/reference/android/webkit/CookieManager.html 
Android 5.0 changes the default behaviour for your app.
If your app targets API level 21 or higher:
The system blocks mixed content and third party cookies by default. To allow mixed content and third party cookies, use the setMixedContentMode() and setAcceptThirdPartyCookies() methods respectively.
The system now intelligently chooses portions of the HTML document to draw. This new default behaviour helps to reduce memory footprint and increase performance. If you want to render the whole document at once, disable this optimization by calling enableSlowWholeDocumentDraw().
If your app targets API levels lower than 21: The system allows mixed content and third party cookies, and always renders the whole document at once.
https://developer.android.com/about/versions/android-5.0-changes.html#BehaviorWebView

Indeed, if the app rely on session cookies it will stop working as expected.

However. Here is a fix to make session cookies work again on Android Lollipop and above:

/*
       Licensed to the Apache Software Foundation (ASF) under one
       or more contributor license agreements.  See the NOTICE file
       distributed with this work for additional information
       regarding copyright ownership.  The ASF licenses this file
       to you under the Apache License, Version 2.0 (the
       "License"); you may not use this file except in compliance
       with the License.  You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

       Unless required by applicable law or agreed to in writing,
       software distributed under the License is distributed on an
       "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
       KIND, either express or implied.  See the License for the
       specific language governing permissions and limitations
       under the License.
 */

package com.blogspot.tol8;

import android.os.Bundle;
import org.apache.cordova.*;
import android.os.Build;
import android.webkit.CookieManager;
import android.webkit.WebView;

public class MyApp extends CordovaActivity
{
    @Override
    public void onCreate(Bundle savedInstanceState)
    {
        super.onCreate(savedInstanceState);
        super.init();

        // Allow third party cookies for Android Lollipop
        if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP)
        {
                WebView webView = (WebView)super.appView;
                CookieManager cookieManager = CookieManager.getInstance();
                cookieManager.setAcceptThirdPartyCookies(webView,true);
        }
        super.loadUrl(Config.getStartUrl());
    }
}

BTW: Make sure that you use the latest Android SDK to compile the source code. I have also created an issue at the Cordova bug tracker (https://issues.apache.org/jira/browse/CB-8026).

5 comments:

  1. Cool post, very useful for me, thank you so much dude.

    ReplyDelete
  2. Wow, thanks for the post. Exactly what I'm looking for.

    ReplyDelete
  3. Nice one, thank you for sharing.

    ReplyDelete
  4. Great, I finally fix my app with your help :) Thanks!

    ReplyDelete
  5. Finally the fix is included in Cordova 4.3.0 https://www.npmjs.com/package/cordova

    Don't forget to update your platform too.

    ReplyDelete