Our Android users have started complaining that every time they kill our app, they have to log in again. I am able to reproduce this on our Android devices, but not our iOS devices, not through our mobile website on any device, and not through our desktop website.
When I attach the Chrome debugger to our Cordova app running on Android, it looks like Django is failing to set the sessionid cookie on the login response path. On every other platform (including straight Chrome on Android) when I look at the response for that endpoint, the sessionid cookie is there.
Here is what the normal login response looks like in every browser other than Cordova Android. Notice the setting of the sessionid cookie:
Response Headers
Connection:keep-alive
Content-Encoding:gzip
Content-Length:654
Content-Type:application/json; charset=utf-8
Date:Sat, 23 Apr 2016 22:33:44 GMT
ETag:"11186a50be09093d01d4e82ff4d9d3e5;gzip"
Server:nginx/1.8.1
Set-Cookie:sessionid=25a9wodafd4zh8w0lzpklf8lnc7mxwbm; expires=Sat, 07-May-2016 22:33:44 GMT; Max-Age=1209600; Path=/
Vary:Cookie, Accept-Encoding
X-Frame-Options:DENY
X-Handled-By:127.0.0.1:8000
Here is the response I'm getting in Android through our Cordova app:
Response Headers
Connection:keep-alive
Content-Encoding:gzip
Content-Length:654
Content-Type:application/json; charset=utf-8
Date:Sat, 23 Apr 2016 22:52:23 GMT
ETag:"11186a50be09093d01d4e82ff4d9d3e5;gzip"
Server:nginx/1.8.1
Vary:Cookie, Accept-Encoding
X-Frame-Options:DENY
X-Handled-By:127.0.0.1:8000
The request succeeds and the user somehow has a session and can make purchases. They can background the app and bring it up and their session is still there, but if they kill the app and bring it back up, they lose their session.
When I connect the Safari web debugger to our iOS Cordova app, the login response looks good. The sessionid cookie appears in the response header and everything works.
I'm hoping that there's something obvious about this whole process that I'm missing.
