Safari keeps logging me out...

NP Complete wrote:
Thanks Alan, your info has been most helpful. I don't think I'll need to look at your screenshot after all.

I think I've got a working theory on the issue now.

That's great news.

BTW, it's a screen cast recording of the actual problem being reproduced where you can see the bug happen in the "cookies" window. It might be more helpful than you think... but if you've already got it repro'd then that's fine. Even though I did spend 20 minutes making it, just for you 😉

LMK,
Alan

I don't use it either.

NP Complete wrote:
Re-installing Safari will have NO effect. I wouldn't waste your time doing this. Rolling back will similarly have no effect.

1) A change in 10.6.3 that limits cookies to 4k per request coupled with the failure to throw out the oldest cookies first will allow a site to 'Denial of service' themself by setting a very large cookie. This generally looks to the web app as if cookies are not enabled (since the app can't actually set new cookies). This was resolved in 10.6.4, which now throws the oldest cookies away first when the total size of the Cookie header exceeds the 4k limit. A new possible issue here could be if the site expects the cookies to come back in the order in which they're set. Since cookie ordering isn't defined this would really be not-advisable.

Your first line pretty much nails it. The problem started with 10.6.3. I've rolled back several times to 10.6.2, and the problem completely goes away.

I've tried reinstalling Safari and restoring my MacBook, and it doesn't make a difference. If I stay at 10.6.2, no issues. Safari 5 didn't make a difference. Safari 5.0.1 didn't make a difference.

This issue doesn't seem to effect FireFox, Camino or Opera.

If I sign in and don't use it for a while, it seems fine (right before I go to bed). One or two clicks later (when I get up in the morning) and it starts logging out.

I got tired of dealing with it and rolling back to 10.6.2. I'm sticking with the other browsers until this is addressed.

I don't know if this will help, but I did experience this problem before the 10.6.3 update too. The problem went away when I stopped using the Squid caching proxy on my computer. After I disabled that I could stay logged in to my sites for hours. Since 10.6.3 it's been just as bad as it was when I was using Squid, if not worse. I have noticed that I get logged out of my sites quicker if I do a lot of heavy surfing as well. Maybe it's unrelated, but I thought I'd throw it out there.

I'm having the same problems and it's driving me crazy. I'm switching to Google Chrome.

Has anyone ever found out why Safari keeps logging out on
websites? The latest Safari update (I think) has been give me
no end of problems retaining username info, account numbers,
etc. Everytime I leave a site where I have selected an option to
remain logged in or have information remembered...all that info
is wiped out and I have to begin all over. I have already transfered
a number of accounts to my Firefox browser. Will stay with Firefox
if need be. But I would like to know exactly what the problem is with
Safari 4.1.1 on my MacBook(OSX 4.1.11).
-Mo

Hello All,

Just an FYI, I was quite frustrated with this issue at work, where I regularly would get logged out of our secure sites and waste time logging back in.

I have followed this thread for some time, and I know the CFNetwork cooking handling was discussed previously (page 8 I think)

I think, tentatively, this may be fixed by the latest security update, which happens to replace the CFNetwork component of the OS due to some security issues.

I just installed the latest OSX Security Update 2010-005 ( http://support.apple.com/kb/HT4312) today, and I've been running for about 6 hours, actively using all the same sites where this issue would rear its head.

I'll post back in this thread if I encounter the issue again.

Cheers.

And, after a significantly longer time period than usual, the issue has started occuring several times per hour again.

I believe I've come up with the precise way to trigger this issue. I've created a test page that sets some arbitrary cookies. Using Safari 5 on Windows, or Safari 4 or 5 on Mac OS 10.6.4 I can reproduce this issue at will.

Page 1: Set 5 cookies, named a, b, c, d and e. Cookies a through d have a value of 1000 characters ('aaaaaa...'), no attributes. Cookie e has a value of 72 chars, no attributes. Click through to Page 2.

Page 2: Set an additional cookie called f with a value of 1 char 'b'. No attributes. Returns all 5 original cookies in tact. Click through to Page 3.

Page 3: Retrieve cookies a through f. At this point, cookie e is lost.

The key here is that the total size of all cookies (name, value and attribute) for this host reaches 4082 bytes and is lost once it reaches 4083.

I can NOT reproduce this behavior with IE 6 or Firefox, nor can I reproduce it with Safari 3 or Safari 4 on 10.5.

I believe this is the root cause of the issue. NP Complete, feel free to contact me directly for more details.

sdlevi27 wrote:
I believe I've come up with the precise way to trigger this issue. I've created a test page that sets some arbitrary cookies. Using Safari 5 on Windows, or Safari 4 or 5 on Mac OS 10.6.4 I can reproduce this issue at will.

sdlevi27,

I believe you should review a message posted by NP Complete on Jul 29, 2010 7:31 PM, here is a copy for your convenience:

+The cookie limits are as given in http://www.ietf.org/id/draft-ietf-httpstate-cookie-10.txt+

+4096 k total for the 'Cookie:' header size+

+50 cookies per domain.+

+Past that, the oldest cookies will be dropped first.+

IMHO favoring draft standards instead of user convenience is not very wise idea. I am glad other browser publishers do not follow this route. Anyway, the real problem (Safari dropping transient cookies) is already documented by multiple users. NP Complete stated he has a working version.

And, just for the sake of updating the problem status, the recent Mac OSX update does not address the problem.

Rushproject,

Thanks for the info. I saw the post by NP Complete referencing the cookie limit spec, but I think he misinterpreted it. He says:

"4096 k total for the 'Cookie:' header size" but the spec clearly states "At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes)".

No where in my test does 1 single cookie exceed 4096 bytes. Instead, it appears that cookies begin to get dropped when the sum of the size of all cookies for 1 host exceeds 4096 bytes.

sdlevi27 wrote:

"4096 k total for the 'Cookie:' header size" but the spec clearly states "At least 4096 bytes per cookie (as measured by the sum of the length of the cookie's name, value, and attributes)".

No where in my test does 1 single cookie exceed 4096 bytes. Instead, it appears that cookies begin to get dropped when the sum of the size of all cookies for 1 host exceeds 4096 bytes.

sdlevi27

I assumed you have not seen the message, because your test shows that Safari works exactly as promised - it does not allow total size of cookies to exceed 4096 bytes to keep Cookie header within the 4K bounds...

Thank you for reading the specification. I hope your findings will be addressed by Apple. Many tracking services (e.g. Google Analytics) use very lengthy cookies. By including too many 3rd party services along with installing numerous scripts, one can probably exceed the 4096 bytes limit for Cookie header.

The problem that is much harder to track is that Safari keeps dropping transient cookies even if Cookie header is well below 100 bytes. And this happens at random...

sdlevi27 - great work on reproducing that. That sounds entirely consistent with my observations as well. I think that there must be a 4096b limit on total cookie size, when it should be per cookie.

Seems that the browser should simply never store any single cookie with >4096 bytes of data, and all other cookies should be respected regardless of total cookie data size.

Hopefully Apple can get this fixed soon. It's been a nightmare for our customers that are constantly complaining about getting logged out.

Thanks Alan. I agree with your statement. Rushproject, I disagree with your statement that Safari is behaving "exactly as promised". I think you're confusing per-cookie limits in the spec with total cookie limits per domain.

sdlevi27 wrote:
Thanks Alan. Rushproject, I disagree with your statement that Safari is behaving "exactly as promised". I think you're confusing per-cookie limits in the spec with total cookie limits per domain.

I do not confuse per-cookie limits with total cookie limits. Apple (NP Complete) explicitly told that there is 4096 Cookie header limit. That places limit on total cookie limit (browser is not allowed to send more than 4096 bytes in Cookie header). So Apple promised to delete cookies to keep total size below 4096 and Safari does it. I do not see anything to argue about here, as far as "promises" are concerned :o)

As long as the draft standard does not limit total size of cookie header, there is an easy to fix problem. My point is that the 4096K limit problem is not related to random logouts issue, as the logouts happen when total cookie size is below 100 bytes. Fixing the 4096K issue (which must be done, as it is not even standard compliant) will not solve the logouts problem.