Django HttpOnly cookies not persisted on iOS Safari and WebView, but work on Chrome and Android ITP

I'm using Django to set HttpOnly and Secure cookies for my React web application. These cookies work perfectly on Chrome (both desktop and mobile) and Android devices.

However, I'm encountering a major issue on iOS:

-iOS Safari: Cookies are not persisted; they are treated like session cookies and are deleted when the browser is closed.

-iOS React Native WebView: Similar to Safari, the cookies are not persisted.

-İOS Chrome: It works.

-Android React Native WebView: It works.

MAX_AGE = 60 * 60 * 24 * 360

COMMON = {
    "httponly": True,
    "secure": True,
    "samesite": "None",      
    "path": "/",
    "domain": ".myweb.net",   
    "max_age": MAX_AGE,
}

def set_auth_cookies(response, access_token: str, refresh_token: str):
    response.set_cookie("refresh_token", refresh_token, **COMMON)
    response.set_cookie("access_token",  access_token,  **COMMON)
    return response

I have confirmed that the max_age is set to a long duration, so it's not a session cookie by design. This issue seems to be specific to the iOS ecosystem.

What could be causing this behavior on iOS Safari and WebView, and how can I ensure these cookies are properly persisted?

<WebView
          ref={webRef}
          source={{ uri: WEB_URL }}
          style={styles.full}

          /* COOKIE PERSIST */
          sharedCookiesEnabled
          thirdPartyCookiesEnabled
          incognito={false}

          /* FIX */
          javaScriptEnabled
          domStorageEnabled
          allowsInlineMediaPlayback
          allowsFullscreenVideo
          mediaCapturePermissionGrantType="grant"
          startInLoadingState
          cacheEnabled={false}

          injectedJavaScriptBeforeContentLoaded={INJECT_BEFORE}
          injectedJavaScriptBeforeContentLoadedForMainFrameOnly={false}
          onMessage={handleWebViewMessage}
          onLoadEnd={() => {
            setLoadedOnce(true);
            lastLoadEndAt.current = Date.now();
            failCount.current = 0;
            if (healthTimer.current) {
              clearTimeout(healthTimer.current);
              healthTimer.current = null;
            }
          }}
          onContentProcessDidTerminate={() => webRef.current?.reload()}
          onRenderProcessGone={() => webRef.current?.reload()}
          onShouldStartLoadWithRequest={() => true}
          setSupportMultipleWindows={false}
          onError={() => setTimeout(() => webRef.current?.reload(), 300)}
          renderError={({ description }) => <Text style={styles.err}>⚠️ {description}</Text>}
          onHttpError={(e) =>
            console.log("HTTP", e.nativeEvent.statusCode, e.nativeEvent.description)
          }
        />

What could be causing this behavior on iOS Safari and WebView, and how can I ensure these cookies are properly persisted?

Back to Top