We have a SaaS application where browser is attached to server side session using cookie called session-id. The value of this cookie is UUID v4 identifier created the first time any given browser is seen. We're sending the cookie as
Set-Cookie: session-id=ebbaf531-8763-4a59-b086-d946124f8d64; Path=/; HttpOnly; Secure;
Everything else seems to be fine except that Internet Explorer running on Windows Phone 8.1 seems to have issues where the cookie is suddenly lost.
Cases that cause cookie to be lost:
The case 1 is especially problematic because it looks like random failure to the user. The Internet Explorer will reload the page in this case and the GET request for the page reload is missing the cookie. I understand that case 2 and case 3 are expected behavior given that I used session cookie above.
I have also tried to set permanent (28 days) cookie using
Set-Cookie:session-id=ebbaf531-8763-4a59-b086-d946124f8d64; Path=/; HttpOnly; Secure; max-age=2419200; Domain=peda.net
and the same behavior still remains. Note that this "permanent" cookie does not last browser restart or phone restart.
Is there a known workaround that allows not losing the cookie randomly? I'm trying to allow users to opt-in to permanent sessions and all the other browsers are working correctly. Internet Explorer on Windows Phone 8.1 is the last remaining obstacle. I have already tried adding and removing attribute domain but that did not have any effect.
According to tests I have done, nothing can be done for the session cookies. Internet Explorer on Windows Phone will always discard all session cookies for all the cases listed. This is especially problematic for the case (1) where the reason for cookie discarding is low RAM while Internet Explorer is running on background.
However, the permanent cookie issue can be worked around. It turns out that Internet Explorer running on Windows Phone 8.1 (probably all other versions, too) supports only non-standard expires parameter instead of max-age parameter. The same happens with desktop versions of Internet Explorer 6.0 - 8.0 so I would guess Windows Phone version was forked around MSIE 8.0 and contains roughly the same issues with cookies. The parameter domain is not required.
So the correct Set-Cookie header looks like following:
Set-Cookie: session-id=ebbaf531-8763-4a59-b086-d946124f8d64; Path=/; HttpOnly; Secure; max-age=2419200; expires=Thu, 14 Apr 2016 13:12:28 GMT
Note the format of expires parameter. This exact format has the most compatibility. Of course, you need to dynamically compute the correct value for this attribute to match the max-age attribute.