Cookies don't work over WebSocket on Apple devices

TLDR: it's the HttpOnly flag.

---

It appears that while some browsers do allow Set-Cookie header in a response for WebSocket connection to have HttpOnly flag, iOS Safari considers the situation as "non-HTTP" and blocks this.

Interestingly, while setting HttpOnly cookies is not possible, HttpOnly cookies are sent in request headers while connecting a WebSocket. This leaves a pair of options:

• Increase risk and omit HttpOnly;
• Set your cookies with another plain HTTP request, quite possibly one that doesn't even have a response body.

---

I'd consider iOS Safari's behavior to be incorrect compared to what's outlined in RFC 6265 Storage model

If your Set-Cookie header works in other browsers my guess is it's an upstream issue, specifically iOS Safari has the ability to block cookies. By default iOS Safari blocks 3rd party cookies.

Can a webpage in mobile Safari check whether Settings > Safari > Accept Cookies 'From visited' or 'Always' is selected?

If cookies are blocked you can't use them. If you need cookies, detect support by setting a cookie on the login page like enabled=1 and then check for it in /ws handler. If it comes up blank and cookies are blocked you can try redirecting to /please-enable-cookies to ask the user to enable cookies for your site.

Another option is to store signed session data in local storage and include it in each request in the Authorization header. https://jwt.io/