https://medium.com/@mahithegeek/cookies-in-ios-nshttpcookie-and-nshttpcookiestorage-696564bc6975

Cookies in iOS— NSHTTPCookie and NSHTTPCookieStorage

What is a Cookie?

Cookies generally are very common and widely used in browser world, mainly for Session Management, User preferences and state etc. Cookie is a small piece of data with some attributes sent by servers. This is stored by Web browsers and shared with server in the subsequent requests.

Structure of a Cookie

Even though a Cookie is small piece of data, it follows a structure and each attribute defines the behavior of the cookie. The RFC documents are very useful : RFC 6265 and RFC 2109

If you are interested to see some cookies at work in real time , open a browser and hit any url like google or Facebook. In chrome open dev tools (you can open this by right click and say inspect) and in the network section go to Headers and see the cookie. In Safari open webinspector and go to Resources and you can see cookie in request headers.

HTTP cookies

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The…developer.mozilla.org

Cookies and Mobile Apps

Cookies are used frequently in the Web world, lot of times Mobile Developers do not need to deal with them. They always have nice REST APIs to hit and fetch data from server any time. This is true for most use cases and apps. But some times the borders are blurred and requirements come up, where there may be a need to handle cookies and perform some tasks from mobile apps as well.

A good example can be Single Sign On (SSO) situations. If the enterprise has some services and data accessible via SSO along with REST APIs for some other data then it could be possible that the mobile app may need to access these SSO protected resources. In SSO users log in only once and access all the resources protected under the same SSO. SSO solutions generally use cookies to achieve this. Hence cookie handling may be required by the app to comply and operate with SSO systems.

How do we handle Cookies in iOS?

iOS has good ways and means to handle cookies. Classes NSHTTPCookie and NSHTTPCookieStorage are well designed and have nice APIs and attributes to represent a cookie and store it as well. But there is very limited documentation available and less content on Stack Overflow on this topic. (no surprise this is not a common use case)

So lets try to explore:

Method 1:

You can “cook up” or “bake” a custom cookie using the code above. NSHTTPCookie class does allow a cookie to be constructed, by passing in different attributes. There are certain mandatory parameters to successfully create a cookie. We at least need name, value, domain or originurl and path. See here. If these are not provided, the API returns a nil cookie.

Below is a code snippet:

There are many other attributes for the cookie and some can’t be set using the above method. For example, the attribute HttpOnly which is a very important paramter in a Cookie, can’t be set via properties dictionary like above.

In my opinion, creating a cookie like this using the above code may not be very useful and it may not do the things that you want. Definitely not useful in SSO environment. Also you need to write more code if there are multiple cookies and also make sure the properties are correctly formed for each cookie.

Method 2 (recommended):

There is another great API in the NSHTTPCookie class where you can dump the entire http response string and the class would return a perfect cookie (array of cookies) by setting all the necessary attributes including the HttpOnly.(in fact this is the only way to set all the attributes)

NSArray* httpCookies = [NSHTTPCookie cookiesWithResponseHeaderFields:[httpresponseallHeaderFields]forURL:url;

In the http response from the server, cookies generally come as key value pair, with Key “Set-Cookie:”. The above API picks the cookie string from the response and converts it into a meaningful cookie. The URL in the above API is very useful and important. Earlier we said there are four mandatory parameters for a cookie to be created in iOS, name, domain, value and path. But according to RFC docs, Domain can be optional which means Cookies might have an empty domain some times. There is no property to set originURL in the NSHTTPCookie Class either. In such cases Method #1 is completely useless. But in the current method, the API fills the originURL if there is no domain in the cookie string and gives you a valid Cookie. Also, there are many other attributes which will be automaticlly set if the server sends them. By far this is the best method in my experience to construct a cookie.

How to store a Cookie?

In the above section we looked at the creation/construction of a cookie. Now lets look at how to store and make use of this Cookie. NSHTTPCookieStorage is our friend. This is a centralised storage for the cookies.

The most interesting and useful feature of this class is that OS (iOS) puts the cookie in the network requests automatically, provided there is a domain match between the cookie and the URL of the request. Suppose the cookie has a domain “.example.com” and the URL of the request is www.test.example.com, then the cookie is added in the request automatically without any extra code.

You can also access this cookie and set it o WKWebview request as well. Although SFSafariViewController is stricter and does not share cookies with the app, rest all kinds of network requests (NSURLSession, WKWebView etc.) can carry the Cookie.

For all the NSURLSession requests the cookie is set in the request, if the domain matches the URL of the request. For webview one can add the cookie by accessing it from the storage for initial load like below:

NSURLRequest* request; //your request

[request setAllHTTPHeaderFields:[NSHTTPCookie requestHeaderFieldsWithCookies:[NSHTTPCookieStorage sharedHTTPCookieStorage].cookies]];

[request HTTPShouldHandleCookies];

How to Verify?

If you are loading a webview and already have a cookie stored, you may have to add the cookie to the initial request. After that load the webview and hit a URL with the same domain as of the cookie. Open Safari WebInspector and see the Request Headers having Cookie.

Generally you can use a fiddler or any network capture tools to look at the request and check for the cookie.

In conclusion, you can handle cookies using these two classes NSHTTPCookie and NSHTTPCookieStorage and having a basic understanding of the cookie and its attributes. Cookies follow the standards defined in RFC 6265 and 2109 and each property has some signifigance.

In the above post I tried to share my experience and the result of my exploration and some trail and error tests with Cookie. Please share and add if you have any additional information.

Credits : I enjoyed working on this (for a requirement) and gained some understanding of Cookies in iOS. I would like to thank my team members, Pushpa for having all the discussions and ensuring we did the right thing in the end and Mujeeb for brain storming and testing this feature.