So my application is an iframe based ecommerce cart; cart session is stored on the accessing domain. When a user checks out the iframe deploys a pop up login to our SAAS (which clears our domain for cross domain cookies). After the pop up login is authenticated the popup closes and the iframe refresh and loads the user's check out with their stored information (all done correctly). The cart session is past over to the iframe via http queries, so it is correctly hitting the server.

The problem area: My application deploys multiple cookies (cart session, referring site, etc), it seems that ONLY on the iPhone and iPad safari, the headers don't show multiple cookies being set. Only one is being set. Keep in mind that I have my php header declaring valid multiple cookies (or technically multiple headers allowed). Obviously the issue is on the client site mobile browsers, any one else have these issues?

Reported via Apple Bug Reporter PID #13966978.

It turns out that the technique for safelisting a new domain via new popup window (set cookie with domain information + flagged as secure) didn't work.

You must first add a simple cookie to the very first line without any additional flags i.e.:

setcookie("hi","true");

This was a very weird bug and is reported @

Apple Bug Reporter PID #13966978.