Play session cookie not sent by Safari

I have a single page application (SPA) on a domain a.domain.com (http) that connect to an api on b.otherdomain.com (https) build in Play 2 (scala).

After the loading of the SPA, the user enter is credentials and the app make an ajax call to https://b.otherdomain.com.com/login.

The /login set the Play cookie and the following request are well authenticated. Everything works on Chrome and Firefox (not IE because of CORS restrictions).

It should work on Safari but after the /login call, the cookie is not sent back with the following requests, so play returns "401 not authorized" responses.

Is this a bug or a misconfiguration on my server side ? Do I have to change application.session.httpOnly and application.session.secure ?

Here is what I see from the Safari inspector :

/login headers :

URL de la requête:https://b.otherdomain.com//login
Méthode de la requête:POST
Code d’état:200 OK
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */*
Content-Type:application/x-www-form-urlencoded
Origin:http://a.domain.com.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Données du formulaireafficher l’URL codée
email:foo@foo.com
password: foofoo
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:31
Content-Type:text/plain; charset=utf-8
Set-Cookie:PLAY_SESSION=a71f93e3315fa9164dd7112841ccdb4a0f0c447b-     sessionId%3A6gtu7%21z.5i%218d%29v8yxy693n-s6zsuejpav_p67f9hb%7Ej%274h2de*jx3g35p%7Egzo0u;Path=/;HTTPOnly
Strict-Transport-Security:max-age=31536000

following request :

URL de la requête:https://b.otherdomain.com/users
Méthode de la requête:GET
Code d’état:401 Unauthorized
En-têtes de requêteafficher la source
Accept:application/json, text/plain, */* 
Origin:http://a.domain.com
Referer:http://a.domain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
En-têtes de réponseafficher la source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://a.domain.com
Connection:keep-alive
Content-Length:24
Content-Type:text/plain; charset=utf-8
Strict-Transport-Security:max-age=31536000

I had the same problem. It worked well in Chrome, but not at all in Safari. My understanding is that this is a new limitation of Safari related to third party Cookies.

It seems there are no (good) work around.

Options : - use a proxy : setup and endpoint on server a to call b server side. - make a c-Name DNS entry for b to be seen as a

You may want to try the PayPal cross domain suite : https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d