I experience a strange behavior with how Titanium Desktop sets cookies. It seems it does not set/update cookies if requested from a Ajax call.
It seems that an AJAX response with a set cookie header is ignored. Only when I serve the index.html from my web-server like
http://127.0.0.1/index.html instead of
app://index.html the cookie gets set in Titanium. Once the cookie is set it is not updated by a new cookie in a response header of an AJAX call. So when a cookie expires on my web-server and the server creates a new session it is ingored by Titanium that keeps sending the old cookie.
Strangely, I don't see the cookie in
document.cookie or in the Web-inspector, but it is clearly set because it is included in all AJAX calls. I also don't know where Webkit cookies get stored, apparently not in
I suspect a bug here, and it seems to be OS X only since setting cookies always have worked flawlessly for more than a year while I developed the application under Linux.
I've found a workaround by creating an invisible Titanium window and setting the URL to some empty page of my web-app. This sets the session cookie and I can close this window right after the page has loaded.
I've also tried using a hidden iframe but this does not set the cookie either.
I'm not sure if I should file a bug for this. Things are complicated because it is not clear what domain app://index.html really is and I'm also not sure whether XMLHttp requests should set cookies. At least there is an inconsistency between Linux and OSX.
I'd still be interested though were Titanium Webkit actually stores the cookies. This would help debugging.
@Aleksandr: Thanks for the tip but I don't want to add code myself for maintaining my session. My web-app server (Catalyst, something like "Perl on Rails") handles all this transparently through HTTP headers and cookies.
I can confirm that this is definitely a bug if comparison with Titanium Desktop for other platforms is to be trusted. I normally work in Windows and Linux and my application works with cookies for authentication without problem. The same application fails to save cookies on OSX.
The worst part is that the application I am developing will mostly run on OSX. I really hope they will fix this in 1.2 final.
I've found the reason why the sessions didn't work on my application, and it might be similar for the other people who have this problem. Desktop SDK 1.2RC has no problem with cookies on OSX. My problem was the fact that this version of Titanium Desktop sends an empty User-Agent header then suddenly starts sending junk as User-Agent header in a random moment. My server code validates the user agent in order to prevent session hijacking so it considered the session invalid because user agent didn't match. I fixed this by setting User-Agent header to my own value with
httpClient.setRequestHeader('User-Agent', 'my own value you do not need to know');
For those interested in doing their own debugging, Titanium Desktop applications save the cookie in a cookies.dat file in their data directory. For example, an application called MyApp running for user Me would save the cookie in /Users/Me/Library/MyApp/cookies.dat