How can I fix a Safari 16.4 session bug that randomly resets the session token?

Bob
May 16, 2023
177 views
0 votes
2 Answers

The latest update to Safari v16.4 (MacOS) is not maintaining a session in a Laravel (PHP) application I maintain and it will randomly logout users and not maintain items in the shopping cart.

This is reported in the Apple developer forum – https://developer.apple.com/forums/thread/728137 and there’s a Webkit bug report here – https://bugs.webkit.org/show_bug.cgi?id=255524, but there is no resolution that I am aware of.

One possible workaround noted in the Webkit ticket is to change the SameSite attribute from ‘lax’ to ‘none,’ which fixes the issues on Safari, but breaks the session behavior on the latest version of Chrome and is generally not recommended.

Is there another approach to how we are handling our sessions or cookies that could resolve this issue, or is this truly a Webkit bug that can’t be worked around until the issue is resolved with a Safari update?

Answers

- apokryfos
- April 22, 2023 at 8:36 am
- 0 votes
0
While this is not ideal, you can configure SameSite to target only buggy Safari implementations:

First override the built-in StartSession middleware.
```
namespace AppHttpMiddleware;

use IlluminateSessionMiddlewareStartSession as FrameworkStartSession;

class StartSession extends FrameworkStartSession {
    protected function addCookieToResponse(Response $response, Session $session)
    {
        // Maybe use something a bit more sophisticated here like e.g. detecting only the buggy versions
        if (Str::contains(request()->server('HTTP_USER_AGENT'), 'Safari')) { 
           config([ 'session.same_site' => 'none' ]);
        }
        return parent::addCookieToResponse($response, $session);
    }
}
```
Then in your app/Http/Kernel.php replace the StartSession middleware under web with your own override.

This should leave other browsers to behave as before.

You can put the same logic in a service provider as well but that will not work if you are using Laravel Octane. Middleware should work in all cases.
Login or Signup to reply.

I resolved by referencing above your code first this does not check for other browsers so I update your code a little bit as below. Here are updated version.
Inside CustomSession.php

<?php

namespace AppHttpMiddleware;

use IlluminateContractsSessionSession;
use SymfonyComponentHttpFoundationResponse;
use IlluminateSupportStr;
use IlluminateSessionMiddlewareStartSession as FrameworkStartSession;

class CustomSession extends FrameworkStartSession {
    protected function addCookieToResponse(Response $response, Session $session)
    {
        // Maybe use something a bit more sophisticated here like e.g. detecting only the buggy versions
        $userAgent = request()->server('HTTP_USER_AGENT');

        if (Str::contains($userAgent, 'Safari') && !Str::contains($userAgent, 'Chrome')) {
           config([ 'session.same_site' => 'none' ]);
        }
        else {
            // Configure session for other browsers
            config(['session.same_site' => 'lax']);
        }
        return parent::addCookieToResponse($response, $session);
    }
}

Here are configurations inside web Kernel.php from Laravel’s default StartSession to CustomSession

 'web' => [
           .... 

           IlluminateSessionMiddlewareStartSession::class,  

           ....
          ],

 'web' => [
            ...

           AppHttpMiddlewareCustomSession::class,

            .....
         ],

Please signup or login to give your own answer.

Click here to cancel reply.