Safari requires re-login when reloading page (no SSL)

[SimonSimCity]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.27.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

3.0.23

Public or Confidential Client?

Public

Description

In our development environment, we're providing the website using localhost without SSL.

I noticed, that Safari seems to loose the session when reloading, and this problem seems to be only in our development environments, and only when using Safari - but I was still curious about what the source of this problem could be, so I started investigating.

The problem seems to originate at the way Safari handles cookies that have the secure-flag enabled if the domain setting this cookie is not secure, which Safari chooses to discard. Other browsers seem to be more reluctant in this and just keep it around (maybe with some special treatment if it's on localhost).

The cookie msal.cache.encryption, introduced in v4, is one, where the secure flag is enforced:

microsoft-authentication-library-for-js/lib/msal-browser/src/cache/LocalStorage.ts

Lines 135 to 141 in 7955a28

	cookies.setItem(
	ENCRYPTION_KEY,
	JSON.stringify(cookieData),
	0, // Expiration - 0 means cookie will be cleared at the end of the browser session
	true, // Secure flag
	SameSiteOptions.None // SameSite must be None to support iframed apps
	);

Looking further, this issue seems to be related to #7935, #8059, #7537, and many others.

Error Message

The user is required to log in again.

MSAL Logs

Here are the logs when reloading the page:

[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function initializeCache (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function generateBaseKey (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - There is already an instance of MSAL.js in the window. (auth.msal.ts, line 35)
[Warning] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Warning - There is already an instance of MSAL.js in the window with the same client id. (auth.msal.ts, line 38)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function initializeCache (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function generateBaseKey (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from generateBaseKey (auth.msal.ts, line 41, x2)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function urlEncodeArr (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from urlEncodeArr (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function generateHKDF (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function urlEncodeArr (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from urlEncodeArr (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function generateHKDF (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from generateHKDF (auth.msal.ts, line 41, x2)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function importExistingCache (auth.msal.ts, line 41, x2)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from importExistingCache (auth.msal.ts, line 41, x2)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - MSAL.js was last initialized by version: 4.28.1 (auth.msal.ts, line 32, x2)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from initializeCache (auth.msal.ts, line 41, x2)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims (auth.msal.ts, line 35)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function clearTokensAndKeysWithClaims (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from clearTokensAndKeysWithClaims (auth.msal.ts, line 41)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims (auth.msal.ts, line 35)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Executing function clearTokensAndKeysWithClaims (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - Returning result from clearTokensAndKeysWithClaims (auth.msal.ts, line 41)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - Event callback registered with id: 019cd2fc-df88-7d9e-9b55-6c48e3328d96 (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-react@3.0.25 : Verbose - MsalProvider - Registered event callback with id: 019cd2fc-df88-7d9e-9b55-6c48e3328d96 (auth.msal.ts, line 35)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-react@3.0.25 : Verbose - MsalProvider - Removing event callback 019cd2fc-df88-7d9e-9b55-6c48e3328d96 (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - Event callback 019cd2fc-df88-7d9e-9b55-6c48e3328d96 removed. (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - Event callback registered with id: 019cd2fc-df88-7580-a035-c3219a76e3f3 (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-react@3.0.25 : Verbose - MsalProvider - Registered event callback with id: 019cd2fc-df88-7580-a035-c3219a76e3f3 (auth.msal.ts, line 35)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - initialize called (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - initialize has already been called, exiting early. (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - handleRedirectPromise called (auth.msal.ts, line 35)
[Log] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Trace - BrowserCacheManager.getTemporaryCache: No cache item found in local storage (auth.msal.ts, line 41)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Info - handleRedirectPromise called but there is no interaction in progress, returning null. (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - handleRedirectPromise has been called for the first time, storing the promise (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - handleRedirectPromise called (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - handleRedirectPromise has been called previously, returning the result from the first call (auth.msal.ts, line 35)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-react@3.0.25 : Info - MsalProvider - handleRedirectPromise resolved, setting inProgress to 'none' (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - getAllAccounts called (auth.msal.ts, line 35)
[Info] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-react@3.0.25 : Info - MsalProvider - handleRedirectPromise resolved, setting inProgress to 'none' (auth.msal.ts, line 32)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - getAllAccounts called (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - getAllAccounts called (auth.msal.ts, line 35)
[Debug] [Mon, 09 Mar 2026 14:25:13 GMT] : [] : @azure/msal-browser@4.28.1 : Verbose - getAllAccounts called (auth.msal.ts, line 35)

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
  auth: {
    authority: getAuthority(import.meta.env.VITE_AZURE_DEFAULT_AUTHORITY),
    clientId: import.meta.env.VITE_AZURE_CLIENT_ID,
    // Since we're only using either silent or popup calls, we can set a blank page as default. ("For silent and popup calls it's best to use a blank page." - https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/errors.md#hash_empty_error)
    redirectUri: "/login-redirect.html",
  },
  cache: {
    // Share login state across tabs and windows
    cacheLocation: "localStorage",
  },
};

Relevant Code Snippets

No special setup required.

Reproduction Steps

1. Set up a website with MSAL login and run it locally.
2. Open this website in Safari.
3. Log in.
4. Reload the page.

Expected Behavior

The user should remain logged in after reloading the website.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Safari

Regression

No response

[SimonSimCity]

Note, this is something that is handled differently in Chrome and Firefox, which seem to treat localhost differently that other domains:

• Safari does not support localhost exception for Secure cookies mdn/browser-compat-data#28461 (comment)
• https://thevalleyofcode.com/lesson/cookies/cookie-not-being-set-in-safari/

[SimonSimCity]

I just got reminded that we were already running into this issue quite a while ago in our e2e tests and we worked around it by overriding the cookie. Maybe this code snipped does help someone using playwright and trying to re-use the context.

  // On Safari the MSAL encryption cookie does not get set because Secure=true on non-SSL localhost is not supported.
  // Therefore we manually override this encryption cookie here setting Secure=false and SameSite=Strict.
  //
  // For the MSAL encryption cookie see: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v3-migration.md#localstorage-encryption
  // For Safari Secure=true cookies see: https://flaviocopes.com/cookie-not-being-set-in-safari/
  const cookies = await page.context().cookies();
  const encryptionCookie = cookies.find(
    (c) => c.name === "msal.cache.encryption",
  )!;
  await page.context().addCookies([
    {
      ...encryptionCookie,
      secure: false,
      sameSite: "Strict",
    },
  ]);