Description
Describe the bug
On iOS devices, MetaMask's in-app browser does not store cookies set via the Set-Cookie header when those cookies are delivered as part of an HTTP redirect (e.g., 302 Found with Location). This behavior does not occur on Android.
As a result, any flow relying on cookie persistence after a redirect will break on iOS — even if the request/response cycle is fully standards-compliant.
Expected behavior
When the MetaMask in-app browser receives a redirect response that includes a Set-Cookie header:
The cookie should be stored,
The browser should follow the redirect,
The next request should include the newly set cookie.
Screenshots/Recordings
No response
Steps to reproduce
On an iOS device, use a deep link to open MetaMask with a URL that points to any backend endpoint.
MetaMask will open this URL inside its in-app browser.
This backend endpoint returns:
An HTTP 302 Found response,
A Set-Cookie header (e.g., Set-Cookie: test_cookie=value123; Path=/; Secure; HttpOnly; SameSite=None),
A Location header that redirects to another page.
The in-app browser follows the redirect.
On the redirected page, the previously set cookie is not included in the request headers — as if it was never stored.
Repeat the same steps on Android MetaMask, and the cookie is retained and sent as expected.
Error messages or log output
HTTP/1.1 302 Found
Set-Cookie: test_cookie=value123; Path=/; Secure; HttpOnly; SameSite=None
Location: /somewhere
Cookie is compliant with modern standards.
Behavior confirmed on multiple iOS versions with MetaMask's latest mobile app.
Android version of MetaMask respects the cookie and functions correctly.Detection stage
In production (default)
Version
7.44
Build type
None
Device
any iOS device
Operating system
iOS
Additional context
No response
Severity
No response
Metadata
Metadata
Assignees
Type
Projects
Status
Status