Basic authentication not working in Safari

Question

we have a PHP web application in development which should not be accessible to public (yet) but we don't want to implement the custom solution to prevent this and so we resorted to HTTP basic auth which is working fine generally but there is a problem with iPhone users.

The symptoms look exactly like described in this article

User gets the prompt, enters the credentials, is granted access to the application. So far so good. But as he tries to navigate the application he gets the prompt again. The application is served over 443 and there are indeed redirects involved.

This exactly matches the case described in the article mentioned above, well almost. The article states the problem was resolved in Safari 6.0 which is ancient and our users are using up to date iOS and Safari.

What is going on and where to look? Are we doing the authentication wrong? Is the article incorrect? Is this a new bug?

Answer 1

I just spent way too much time on this.

Safari on iPhone seems to apply a more strict security policy. Therefore, it isn't sending basic auth credentials with css, script nor ajax requests by default. So for those requests, Safari prompts for basic auth again and again.

For css and script, you can:

<link rel="stylesheet" href="..." crossorigin="use-credentials" />
<script src="..." crossorigin="use-credentials" />

For ajax request, there should be an option to send credentials, depending on how you send the request, e.g:

fetch('/path/to/json', {credentials: 'include'})

Perhaps that's also the problem you are having?