#419 Page Expired on iPhone through in-app browsers

We're in production for a pretty long time and things have seemed to work well all this time.

But we've discovered that iPhone users get a 419 Page Expired modal when they send the registration POST request through Tiktok browser (we're using Inertia and probably it shows that modal because they response from the sign-up POST request is 419).

So again, we had tens of thousands of users successfully sign-up and login so our session config and CSRF handling should be fine.

Since this only happens on iPhone devices and through In-app browsers, I think it might be iPhone's strict handling of cookies and tracking data.

Did anyone encounter this? How can we handle this?

through In-app browsers, I think it might be iPhone's strict handling of cookies and tracking data.
That's very likely the case, yes. So you might want to check if cookies are allowed, if they aren't show them a popup or something. Or maybe requiring your site to be opened directly in a browser

Do you know if axios is using the XSRF-TOKEN from the cookie? Because I can't find it in the HTML anywhere.

How about implementing something like, but for Axios https://laravel.com/docs/12.x/csrf#csrf-x-csrf-token so it will use the token present in the meta tag instead of the cookie?

If we can have it in the HTML it should theoretically not cause an issue when cookies are turned off on iPhone devices

You'll still need to rely on cookies tho, as without a cookie you don't have a persistent session. So form errors wouldn't work etc.

Just tested on the FB app browser and it works well through an iPhone. Probably a an issue with iPhone and Tiktok specfically.

Requesting users to manually open a browser and input the URL will have a dropoff of 80%+ because users there are used to have extremely short attention span.

Not sure what we are going to do with that. Thanks for the help

Requesting users to manually open a browser and input the URL
The OS provides the option to open in a browser? No need for them to copy paste.
That is, if tiktok uses what the OS provides, instead of having built their own webview

They have their own webview, which indeed allows opening the website in the default browser in two clicks. Still, paid ads ROI will suffer if we have to do that.

And the cookie thing is a OS setting afaik

Yes, but we tested on 3 different iPhones of team members who never touched these settings. So newer iOS versions seem be coming with some kind of restrictions by default

Not sure what you want to hear tho.. If it works in other in-app browsers, then tiktok is probably blocking it somehow (which is funny, as they're pretty much the most agressive in tracking lol)
Then tiktok is the issue, and not much you can do about that

Could also be that users have enabled that setting? 🙂 Like people that don't want to be tracked and so all cookies are blocked perhaps?

I asked them. Not that they remember. Usually tech people are aware when they do these changes and these are all team members.

Probably I want to hear there's an easy solution from someone who already experienced this specific problem 🙂

But here we go with a new round of testing and debugging. I agree with everything you've said. Thanks

I'll keep this request open for another day in case somebody who knows TT's ins and outs will see this thread

Not sure if it's possible for third-party apps / web views, but you can try to inspect that webpage (you'll need a mac with Safari). That way you can debug if the cookies are set and if thus the session actually sticks

Safari shows cookies and valid session. Added TT browser-specific logging and it seems that the session and XSRF exist in the request. Any other ideas?

{
    "cookies":
    {
        "XSRF-TOKEN": "A6pi4RcrGo7fwDmIJog1rYKJMoaRtZ5i762sFtVI",
        "_tt_enable_cookie": null,
        "_ttp": "01JXD88AA9TTGV4HGCHJN4YBN7_.tt.1",
        "session": "GlyprrTO6BYWxH3zE0MuFoDSDbHdxQMvN95lZMNH",
        "us": "{\"referrer\":\"https://www.tiktok.com\"}",
    },
    "request_method": "POST",
    "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Mobile/15E148 Safari/604.1 musical_ly_40.1.0 JsSdk/2.0 NetType/WIFI Channel/App Store ByteLocale/uk Region/UA isDarkMode/0 WKWebView/1 RevealType/Dialog"
}

Does it create a new session every request?

This was the root cause of a similar issue we just had the other day. Ended up being because we were just calling session([‘key’ => ‘val’]) instead of a session()->put([‘key’ => ‘val’]) in one of our custom middleware.

On L10 though, may or may not help and no idea if that’s how it still works in later versions