Cherry-pick PR #1574: Allow cookies in duna resume request

Copilot · swasti29 · Copilot · commit abfae03d8300 · 2025-09-24T23:26:14.000Z
Co-authored-by: swasti29 &lt;12692041+swasti29@users.noreply.github.com&gt;
diff --git a/IdentityCore/src/MSIDConstants.h b/IdentityCore/src/MSIDConstants.h
@@ -217,6 +217,7 @@ extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_JIT_TROUBLESHOOTING_LEGACY_
 extern NSString * _Nonnull const MSID_FLIGHT_CLIENT_SFRT_STATUS;
 extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA;
 extern NSString * _Nonnull const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA;
+extern NSString * _Nonnull const MSID_FLIGHT_IGNORE_COOKIES_IN_DUNA_RESUME;
 
 /**
  * Flight to indicate if remove account artifacts should be disabled
diff --git a/IdentityCore/src/MSIDConstants.m b/IdentityCore/src/MSIDConstants.m
@@ -89,6 +89,7 @@
 NSString *const MSID_FLIGHT_CLIENT_SFRT_STATUS = @"sfrt_v2";
 NSString *const MSID_FLIGHT_DISABLE_PREFERRED_IDENTITY_CBA = @"dis_pre_iden_cba";
 NSString *const MSID_FLIGHT_SUPPORT_STATE_DUNA_CBA = @"support_state_duna_cba";
+NSString *const MSID_FLIGHT_IGNORE_COOKIES_IN_DUNA_RESUME = @"ignore_cookies_in_duna_resume";
 
 // Making the flight string short to avoid legacy broker url size limit
 NSString *const MSID_FLIGHT_DISABLE_REMOVE_ACCOUNT_ARTIFACTS = @"disable_rm_metadata";
diff --git a/IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserResumeOperation.m b/IdentityCore/src/webview/operations/ios/MSIDSwitchBrowserResumeOperation.m
@@ -29,6 +29,7 @@
 #import "MSIDInteractiveTokenRequestParameters.h"
 #import "MSIDWebResponseOperationFactory.h"
 #import "MSIDConstants.h"
+#import "MSIDOAuth2Constants.h"
 #import "MSIDFlightManager.h"
 
 @interface MSIDSwitchBrowserResumeOperation()
@@ -108,6 +109,15 @@ - (void)invokeWithRequestParameters:(nonnull MSIDInteractiveTokenRequestParamete
     webRequestConfiguration.startURL = [[NSURL alloc] initWithString:self.switchBrowserResumeResponse.actionUri];
     NSMutableDictionary *customHeaders = [webRequestConfiguration.customHeaders mutableCopy] ?: [NSMutableDictionary new];
     customHeaders[@"Authorization"] = [NSString stringWithFormat:@"Bearer %@", self.switchBrowserResumeResponse.switchBrowserSessionToken];
+
+    if (![MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_IGNORE_COOKIES_IN_DUNA_RESUME])
+    {
+        if (customHeaders[MSID_REFRESH_TOKEN_CREDENTIAL] && [customHeaders[@"Cookie"] isEqualToString:@""])
+        {
+            [customHeaders removeObjectForKey:@"Cookie"];
+        }
+    }
+    
     webRequestConfiguration.customHeaders = customHeaders;
     
     NSObject<MSIDWebviewInteracting> *webView = [oauthFactory.webviewFactory webViewWithConfiguration:webRequestConfiguration
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,6 @@
+TBD:
+Allow cookies in duna resume request #1574
+
 Version 1.15.0
 * Query and populate ECC STK in Workplacejoin information for iOS (#1555)
 
