Safari keeps logging me out...

to NP Complete

Thank you very much for thorough explanations. I am trying to find exact reason behind frequent logouts when browsing our own web site. Setting up extensive cookie logging at the moment. Hope to provide you with a setup for easy replication of the problem.

Meanwhile I noticed that most random logout problems are related to transient cookies (cookies that do not have any expiration date specified). As I understand, Safari does not record such cookies to the ~/Library/Cookies/Cookies.plist, so access permissions/corrupt file cases are not applicable here. I wonder if there were some changes to transient cookies handling during last spring upgrade that could result in cookies being corrupted or lost.

Do you see any "Cookies - corrupt.plist" files in ~/Library/Cookies ?

I'll look into the theory that the session cookies are being lost.
Any concrete detail you can give me (or steps to reproduce) would be most helpful.

My ~/Library/Cookies shows single entry:

ls -la ~/Library/Cookies
total 5648
drwxr-xr-x 3 sure staff 102 Jul 8 19:15 .
drwx------+ 50 sure staff 1700 Jul 8 19:10 ..
-rw-r--r--@ 1 sure staff 2891130 Jul 8 19:15 Cookies.plist

Our web application uses transient cookie (no expiration date set) to hold the session id. The total cookie header size is about 400 bytes so far - mostly Google Analytics tracking cookies. I have enabled in and out cookie header tracking in Apache access logs. I see no cookie format problems so far. I do not see the session cookie saved in the Cookies.plist. If further information needed, you may contact me through home page in my profile.

Usually it takes 1-3 hours for the Safari left idle for the logout to happen. Program timeout set to 10 hours. If working intensively, the logouts happen much more frequently. Waiting for logout to capture log file entries now...

NP Complete wrote:
One of the main problems is that (until recently) there hasn't been a browser-consensus on how to deal with real-world cookies. Browsers literally flip-flop behavior until this issue or that is resolved because it works in I.E. or Firefox. Luckily Adam Barth has come up with a real solution in the form of http://tools.ietf.org/html/draft-abarth-cookie-07 . So hopefully the current cookie practices of major browsers can at least be locked in stone.

Unfortunately the real solution has already expired: "This Internet-Draft, draft-abarth-cookie-07.txt, has expired, and has been deleted from the Internet-Drafts directory" (cfr. <http://www.rfc-editor.org/internet-drafts/draft-abarth-cookie-08.txt>)

NP Complete wrote:
1) A change in 10.6.3 that limits cookies to 4k per request coupled with the failure to throw out the oldest cookies first will allow a site to 'Denial of service' themself by setting a very large cookie. This generally looks to the web app as if cookies are not enabled (since the app can't actually set new cookies). This was resolved in 10.6.4, which now throws the oldest cookies away first when the total size of the Cookie header exceeds the 4k limit. A new possible issue here could be if the site expects the cookies to come back in the order in which they're set. Since cookie ordering isn't defined this would really be not-advisable.

So to summarize for my case: The bug is in ADFS; it should not make any assumptions about cookie order. Right?

to NP Complete

Registered first logout. I can send log file entries showing cookies in and out, just give me direct email (my email is on file, also LinkedIn profile has a reference to contact page).

It looks like transient cookies storage starts to drop oldest cookies when it runs out of memory. My MacPro was mostly unattended this Sunday and it took about 22 hours to loose some cookies. On work days it happens faster.

Multiple random logouts today. Each time transient session cookie is lost. Confirmed with 2 different packages (in-house and 3rd party) on 2 servers. Complete access log is available. No corrupt cookies. No intermediate Set-Cookie headers. Just out of sudden transient cookie is not in the Cookie header sent by browser any more. All non-transient cookies are intact.

Unfortunately missing cookies is not a theory. To me it is a sad practice. Hope, the issue will be fixed sooner or later. Switching back to Firefox meanwhile...

rushproject: this is expected. When CFNetwork runs out of room in the Cookie: header, it will begin punting cookies. Which site requires that many cookies without clearing some of the unneeded cookies?

Do they realize that they're creating an awful lot of traffic for themselves by not clearing un needed cookies?

BVdB: that's correct. According to the most current of the abarth cookie drafts, servers should not count on the order of returned cookies. This draft ought to become a published RFC before mid autumn.

NP Complete wrote:
rushproject: this is expected. When CFNetwork runs out of room in the Cookie: header, it will begin punting cookies. Which site requires that many cookies without clearing some of the unneeded cookies?

I have already wrote that max size of cookie header is 400 bytes. Is this "that many cookies" that forces Safari to drop cookies? If yes, may I suggest increasing this threshold to match other browsers that happily keep transient cookies for weeks until I reboot my Mac?

Which site? Our own site. I have already wrote that I configured cookie header logging in Apache. On each and every HTTP request it now records contents of Cookie header coming in as sent by browser and Set-Cookie header as returned by the application. The application sets cookie only once per session. The cookie holds for some time, the more work I do in browser the shorter is that time, then drops suddenly.

Do they realize that they're creating an awful lot of traffic for themselves by not clearing un needed cookies?

I do not think that extra 400 bytes makes any difference on average web page transmitted by our server. Anyway, compared with a browser dropping cookies problem, this is definitely is not issue...

Based on your description, it sounds like you may be running into the max cookie per domain limit (which was set to 50 in 10.6.3, along with the maximum cookie header size). If this isn't the case and your domain maintains fewer than 50 cookies at any given point, then CFNetwork is dropping cookies due to some other issue which hasn't yet been identified.

The maximum cookie header size is 4 kilobytes, sorry not sure if this has been mentioned yet. 400 bytes is way under this. 4k is experimentally the same size that IE clips cookie headers to.

NP Complete wrote:
Based on your description, it sounds like you may be running into the max cookie per domain limit (which was set to 50 in 10.6.3, along with the maximum cookie header size). If this isn't the case and your domain maintains fewer than 50 cookies at any given point, then CFNetwork is dropping cookies due to some other issue which hasn't yet been identified.

50 cookies in 400 bytes? Are you kidding? :o)

Just in case: how do you calculate the cookie per domain limit? We use multiple subdomains, that is

site1.example.com
site2.example.com
site3.example.com

Each subdomain has its own cookie set. If, for example, each subdomain sets 3 cookies, will all 3x3=9 cookies count towards the 50 cookie limit? To avoid any misunderstanding here is sample complete Set-Cookie header (no domain specified explicitly):

SID=6286ZB993BDB97980E97C56484943445DB52B; path=/


Also, please note that when Safari starts logging me out, this is a widespread problem. Not only our site is affected - I had to quit using Safari since April because of the cookie problem, so I can't give you lengthy list, but during the recent 3 day test I was constantly kicked off LinkedIn. Also there were problems working with PayPal - not logging out, but navigation problems (clicking on some links results in reloading of current page - all other browsers work just fine).

The lost cookie problem persist on all Mac OSX computers I have, even the one that has Logic Studio as the only additional package installed. So there is no 3rd party software to blame. All computers have plenty of RAM, usually maxed out to the hardware limits (may be this is the problem - some non-proportional memory allocation?)

The hardware isn't the issue, and the max cookies per domain are per full domain, 50 for .foo.com, 50 for img.foo.com, 50 for www.foo.com, etc.

You are seeing problems on 10.6.4 with nothing installed by Logic Studio? That seems quite odd. I honestly don't have enough info on this issue to figure out what's going on. Could you give me a list of steps that appears to cause cookie loss for you at least some times?

Ex: reset safari, log into google reader, open Net News Wire, wait 2 minutes, google reader is logged out.

Something that's simple is preferable, something that is 100% reproducible would be the best.

Yes, the problem shows on every system since April. The almost "stock" OSX system uses 1Password with Safari extension installed (I forgot to mention it). There is no step by step sequence to reproduce the error. My day to day workflow that reproduces the error is

1) start web browser
2) open multiple (~10) tabs from a bookmarks folder (online help desks for different products)
3) login to each help desk
4) work with web based applications

If I use Safari as a browser, sooner or later it starts dropping cookies. On multiple sites. The more often I use Safari, the sooner I get into the problem.

I can try to reproduce the problem using stock OSX setup or by incrementally adding 3rd party applications, if needed. Probably the best idea would be to setup OSX Server VM using Parallels and sending you the image as soon as the problem surfaced. Please feel free to contact me if you believe this could help.