ARTICLE AD BOX
Android Zebra / WebView drops session cookie after AJAX login over intranet HTTP, works on desktop browsers (SameSite/Secure?)
Asked today
Modified today
Viewed 37 times
Part of PHP and Mobile Development Collectives
1
I’m running a web app on an intranet IP over plain HTTP and seeing inconsistent login behavior on a Zebra PDA using an Android embedded browser or WebView. Desktop browsers work reliably.
Login is handled via AJAX. The server returns success and sets a session cookie, then the client redirects to /dashboard.
$.ajax({
url: "/login/login",
type: "POST",
data: $("#quickForm").serialize(),
dataType: "json",
success: function (data) {
if (data.status) window.location.href = "/dashboard";}
});
The login response includes a Set-Cookie header. On desktop browsers the cookie is always persisted and the redirect works. On the Zebra device the redirect sometimes succeeds but the session is missing on /dashboard, as if the cookie was never stored. Retrying the same login often works without changes, which makes this feel timing- or platform-dependent rather than a logic bug.
The app is accessed using an intranet IP like:
The session cookie is configured with attributes similar to:
Set-Cookie: ci_session=...; Path=/; HttpOnly; SameSite=None
or sometimes:
Set-Cookie: ci_session=...; Path=/; HttpOnly; SameSite=Lax
There are no JavaScript errors on the device.
Are there known cases where Android embedded browsers or WebView ignore or delay Set-Cookie headers from AJAX responses on non-HTTPS origins due to SameSite or Secure rules, and what is the correct way to configure session cookies to make AJAX login reliable on both desktop browsers and Android embedded browsers?
This is a PHP framework session cookie, and I can change the cookie attributes if requir
asked 6 hour
Bodhi Silberling's user avatar
Bodhi Silberling
5599 bronze badges
New contributor
WebViews that exist within apps which can enforce many non-standard things. Unless you have the source code for app(s) in question there is little to be done other than ask the app developers for assistance. You can try to capture any logs/errors in the Android logcat to see if there are any messages you can use. Identifying the OS version and device model(s) may be helpful to readers.
