Apple's secret Safari cookie crackdown could have unintended consequences for your logins

iPhone 13 mini in hand
(Image credit: Future)

A change to the way WebKit handles some internet cookies means that Safari 16.4 will invalidate them more frequently in the name of privacy. But that could also mean that users have to log into their accounts more often as well.

The change, which is built into the underlying WebKit browser engine and implemented as part of the recent Safari 16.4 release, isn't specifically mentioned in Apple's release notes. But it's been spotted by WebKit experts and shared on Twitter.

WebKit developers say that the change is designed to prevent third-party cookies from masquerading as first-party ones — something some websites and services appear to have been doing to help them track users across the web.

Security matters

The change is detailed in a WebKit pull request on GitHub (opens in new tab).

The request says that while Safari already caps the lifetime of cookies to seven days if it suspects them to be third-party cookies pretending to be first-party ones, this new change goes a step further.

The explanation is a complicated one, but the gist is that some cookies have been using "CNAME cloaking" to confuse Safari into thinking they're from the website's owner, not a third party. That party could be some sort of analytics company for example.

With Safari 16.4 installed, the browser will look for more telltale signs that something isn't as it should be with the cookie in question. If it's deemed not to be a first-party one at all, it'll be set to time out after just a week.

Some have suggested that Google Tag Manager (opens in new tab) is the target of such a change, although there are likely other implications for other services. Tag Manager is a tool that allows website analytics and more.

See more

This is all being done in the name of privacy and will likely help prevent people from being tracked when browsing the web. But it could also have an unintended impact on logins as well.

Experts worry that login sessions could be caught in the crossfire, with their session cookies also forced to time out after seven days. The result would mean users have to log back into websites after a week unless they visit the site and obtain a new cookie sooner.

Critics are already suggesting that this move in particular goes against the idea of an open web, although Apple will no doubt see things very differently.

As always, the best iPhone, Mac, and iPad is one that's safe and secure. But it could well make life difficult for website and service builders who rely on the tools and analytics that this cookie change will impact.

Oliver Haslam
Contributor

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.