Video requiring asp.net authentication not working on iOS 10

by

On Safari in iOS 10 my video doesn’t work, only showing the play-icon.

I serve the video via an asp.net server, which checks to make sure the user has logged on and have access to the video. Only, on iOS 10 the server will respond with 401 Unauthorized!

Doing some testing with the code below, I found that safari on iOS 9 sends the “.ASPXAUTH” cookie – but safari on iOS 10 doesn’t!

<video crossorigin="use-credentials" controls autoplay="autoplay">
    <source src="/Server/GetVideo.ashx?id=123"/>
</video>

Why is safari not able to play my video? Is there any way to solve it?

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

My solution is here:
https://stackoverflow.com/a/40015409/7012293

Basically you need to send a 403 forbidden if the session cookie is missing. Safari will retry with the session cookie.

Method 2

We have the exact same problem with a completely different technology stack (Linux, PHP, Moodle). Our session cookie is not sent with video (and audio) requests.

We weren’t able to figure out a way to make iOS behave properly here, so we are doing an emergency patch to solve the problem by detecting iOS 10 and sending it to a different script to serve the video, passing a securely encrypted version of the session cookie value inside the path to this script, and then doing various hacks so that the value from the path gets used to identify the session from within that script (instead of the nonexistent cookie). This change works but is complex, has minor security implications, and might be harder to implement on different technologies.

This seems like a major problem with iOS 10 so I would hope that it might be fixed in a future update. Also, I note that although our session cookie is not included with the video, several other cookies are included! I couldn’t actually figure out which ones weren’t. (One of the first things I tried was to use a timed-expiry instead of session cookie, but this didn’t get sent with the video either.)

Method 3

Solution is to be found here:

HTML5 video/audio player on mobile Safari (iOS 7 & iOS 10) excludes cookies

Set an expire date to the cookie and the video player in iOS 10 can read back the cookie. Session cookies without an expire date can not be read back by the video player in iOS 10.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x