iPad Safari Cookie size limits?

Question

Level 1

4 points

iPad Safari Cookie size limits?

We're using an application called Tableau (business intelligence) with Active Directory Federation Service v.3 (ADFS 3, Windows 2012 R2) for single sign on. Using Fiddler on a browser, it appears that when logging on to ADFS after having been redirected from Tableau, 7KB of cookies are set and then recalled by the ADFS server.

When attempting the same functionality from the iPad, the ADFS server errors out and the error event on the server has the following text in it:

MSIS7046: The SAML protocol parameter 'RelayState' was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

I have the Safari settings to allow all cookies.

iOS : 8.3

I found some old blog postings on this about Safari limiting total cookies per domain to 4KB. Is this limit still in play? Is this a violation of RFC?

Thanks.

Doug

iOS 8.3

Posted on Apr 22, 2015 12:12 PM

Reply

Answer 1

Best reply

DG_ITGuy Author

Level 1

4 points

Apr 24, 2015 6:25 AM in response to DG_ITGuy

I've done a little more digging. I was able to hook up an iPad to Fiddler and observe that the Safari browser does not send back all of the cookies that are sent to it. In Safari, 4 cookies come down as part of the initial ADFS form display to logon named MSISSSamlRequest, MSISSSamlRequest1, MSISSSamlRequest2, MSISSSamlRequest3.

The 4 go up as part of the Post with the username and password.

And one additional new one is send down as the reply from the Post, MSISAuth

But in going to the next page after the Post.. a Get request to /adfs/ls/ only these cookies get sent to the server:

MSISAuth
MSISSSamlRequest
MSISSSamlRequest1
MSISSSamlRequest2

The browser does not send MSISSSamlRequest3.

Interestingly, I tried it with Chrome on the browser as well and the cookie that does not get sent back is MSISAuth, which leads to the initial logon form being re-displayed as if you first came to the page.

One other thing: I see that the Tableau application is using a form Post for the initiation of the authentication redirect and not a ws-federation redirect with query strings. I checked on Office 365 and that is configured for query string redirection which results in setting of cookies after the very last step and seem to only be there in case the user gets back to that same authenticate page for some other application and it won't re-prompt within a certain time period.

What is happening to the cookies on the iPad? How can I see the individual cookies that are stored on the device?

Reply

Answer 2

rccharles

Level 6

12,957 points

Apr 24, 2015 12:28 PM in response to DG_ITGuy

"Safari includes Web Inspector, a powerful tool that makes it easy to modify, debug, and optimize a website for peak performance and compatibility. To access these tools, enable the Develop menu in Safari’s Advanced preferences."

https://developer.apple.com/safari/tools/

Unless something has changed, you need a Mac to run the web inspector ( web inspector run on a mac. )

https://developer.apple.com/library/mac/documentation/AppleApplications/Conceptu al/Safari_Developer_Guide/GettingStarted…

I'd try iCab.

https://itunes.apple.com/us/app/icab-mobile-web-browser/id308111628?mt=8

Has a good reputation for innovation and responsive to requests.

Robert

Reply

Answer 3

Dec 21, 2015 1:23 AM in response to DG_ITGuy

Hi, Did you find a solution to this issue? We are facing the same problem. Thanks for your help.

Reply