[Android] Image loading request is performed without cookie which was set earlier by "SetCookie" header of response

[andrey-skl]

Description

1. I have a server which returns image only if request has authorization cookie.
2. I authorise on this server and get a HTTP response with Set-Cookie header with cookies in content.
3. Then I show an Image with URL pointing to this server. Image is failed to load. Same thing works OK on iOS.

I checked the network traffic, and found this:

1. Response which sets the cookie looks like this:

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Apr 2017 16:43:31 GMT
Content-Type: application/json;charset=utf-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID={Censored};Path=/somepath;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Access-Control-Expose-Headers: Location
Cache-Control: no-cache, no-store, no-transform, must-revalidate
Vary: Accept-Encoding, User-Agent
Content-Encoding: gzip
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
Transfer-Encoding: chunked
Connection: Keep-alive

2. Regular fetch-drived network requests after this are performed with this cookie:

GET {Censored/some url} HTTP/1.1
content-type: application/json
accept: application/json, text/plain, */*
authorization: {Censored}
Host: {Censored}
Connection: Keep-Alive
Accept-Encoding: gzip
Cookie: JSESSIONID={Censored/HERE IT IS!!}
User-Agent: okhttp/3.4.1

3. Image requests are performed without this cookie:

GET {Censored}/_persistent/project-diff.png?file=96-37&c=false HTTP/1.1
Host: {Censored}
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.4.1

Solution

The code which loads image should respect that cookie set before.

Additional Information

• React Native version: 0.43.4
• Platform: Android 7.1
• Development Operating System: macOS
  Seems similar to Remote Images are not fetched with existing cookies? #6316 but on Android.

[andrey-skl]

I'm pretty sure there is code which implements this, but is it working?

react-native/ReactAndroid/src/main/java/com/facebook/react/modules/fresco/FrescoModule.java

Line 161 in d9ae27b

CookieJarContainer container = (CookieJarContainer) client.cookieJar();

[cbjs]

same +1

[keith-kurak]

I'm having this issue, as well.

• 1

[keith-kurak]

I think I fixed this on my end. I had a CRNA project that I had just upgraded to Expo v.18. I was serving it from my computer via the default "react-native-scripts" that CRNA automatically puts in package.json, but then I was publishing it via the "exp" CLI. When I would run it via CRNA, it would seemingly throw all of Expo on my Android phone into this state where it was using another stack for image HTTP requests. If I killed Expo entirely on my phone and published again via exp everything would work. When sniffing the network traffic, I noticed that the bad requests had a user-agent of "Davlik 2.1.0/ ..." while the good ones (image requests and otherwise) would use "okhttp". Now that I'm doing all of my testing and publishing with the exp commands, things seem to be OK.

[rakeshgajula]

I am on "react-native": "0.43.4" and having the same issue.

Image requests on Android are missing cookies

[lechinoix]

Same here with react-native 0.46.4

[pull-bot]

Hi there! This issue is being closed because it has been inactive for a while. Maybe the issue has been fixed in a recent release, or perhaps it is not affecting a lot of people. Either way, we're automatically closing issues after a period of inactivity. Please do not take it personally!

If you think this issue should definitely remain open, please let us know. The following information is helpful when it comes to determining if the issue should be re-opened:

• Does the issue still reproduce on the latest release candidate? Post a comment with the version you tested.
• If so, is there any information missing from the bug report? Post a comment with all the information required by the issue template.
• Is there a pull request that addresses this issue? Post a comment with the PR number so we can follow up.

If you would like to work on a patch to fix the issue, contributions are very welcome! Read through the contribution guide, and feel free to hop into #react-native if you need help planning your contribution.

[andrey-skl]

Sadly that's the way how react-native evolves: it doesn't care about great bunch of small but breaking stuff issues there and there. Will it get some kind of polishing and bugfixing eventually? Nobody knows 😞

[hramos]

We do care! With the amount of open issues and PRs, we do focus on more active issues first. After two months, no PR has been opened to fix this, so it probably is not a huge blocker. Feel free to send a PR with polish and bug fixes :)

[joeldalley]

@hramos This is a pretty significant problem for us. We're using React 16 and React Native 0.50.0. I notice that in my AJAX requests on the Android platform, it doesn't matter if I employ the withCredentials request option or not--Android simply doesn't pass cookies along w/ the request. I'm currently struggling to think of a way to ship our app next month with Android not respecting our directive to use cookies. We observe this breakdown by reading the requests that arrive at our server, where the iOS requests have the expected cookies, and Android does not.

EDIT: this note has nothing to do with image loading -- it's just AJAX requests in general, using React Native on the Android platform. Cookies are never sent with any HTTP requests.

[keith-kurak]

We're discussing this issue further in the Expo client Github (expo/expo#370). We can reproduce the issue with Image HTTP requests using the Davlik user agent (instead of Okhttp) after an Expo app's activity is closed and reopened. If anybody has any suggestion on how to reproduce a similar situation (loading a second activity in the same process running the same JS) in base RN, I'd be happy to give it a try.

[dracostheblack]

We're seeing the same issue. We have an auth cookie and it's not getting passed so the image will not display.

[andrey-skl]

Have worked around it by passing authorization every time via "headers" value of Image's source property, but this is really ugly.

https://github.com/JetBrains/youtrack-mobile/blob/master/src/views/show-image/show-image.js#L41

[dracostheblack]

@huston007 I'm passing it like image = {uri: imageName, headers: imageHeaders, cache: 'force-cache'}, where imageHeaders has 'Cookie': authCookie as part of it. Is what you're doing different, it looks the same.

[ghost]

Does not work in 0.56.0 as well.