Symptoms

Following several cases from customers regarding link-outs to SSO authenticated services from the iOS app not persisting the access tokens, we would like to clarify the situation that is causing some clients to request that the user is required to reauthenticate each session.

We have identified that cookies (in this case, the IdP session cookie) without expiry dates are considered differently by Apple for security reasons, and as a result, are treated as expired session cookies. This means that once the app is closed, the cookie is expired, and the user will need to keep reauthenticating each session to access this resource. 
If an expiry date is applied to the offending Cookie, then Apple will respect its session length, and access will continue.

Solution

The solution for customers is therefore ensuring that these cookies (the IdP session cookie in this scenario) have expiry dates of 365 days or less. This is in line with security good practice.
 

• Article last edited: 12-Sep-2022