Summary
Apps targeting KITKAT or below allow third party cookies by default. Apps targeting LOLLIPOP or later do NOT allow third party cookies by default.
https://developer.android.com/reference/android/webkit/CookieManager.html
Issue
Android Lollipop changes the default behavior of your app.
If your app targets API level 21 or higher the system blocks mixed content and third party cookies by default. If your app targets API levels lower than 21 the system allows mixed content and third party cookies, and always renders the whole document at once. [b] Resolution[/b]
To allow mixed content and third party cookies, use the setMixedContentMode() and setAcceptThirdPartyCookies() methods respectively. The system now intelligently chooses portions of the HTML document to draw. This new default behaviour helps to reduce memory footprint and increase performance. If you want to render the whole document at once, disable this optimization by calling enableSlowWholeDocumentDraw().
https://developer.android.com/about/versions/android-5.0-changes.html#BehaviorWebView
Sample Code
import android.os.Bundle; import org.apache.cordova.*; import android.os.Build; import android.webkit.CookieManager; import android.webkit.WebView;
public class WebApp extends CordovaActivity
{
@Override
public void onCreate(Bundle savedInstanceState)
{
super.onCreate(savedInstanceState);
super.init();
// Allow third party cookies for Android Lollipop
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
WebView webView = (WebView)super.appView;
CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptThirdPartyCookies(webView,true);
}
super.loadUrl(Config.getStartUrl());
}
}
Solution credited to Joash Pereira
Keywords: Cookies, App targeting, Security
KB_0045
