Remove Requirement for Browser Cookie

I have a Vaadin app that is running within a web page iFrame. It is running in HTTP and we have no need for cookies, however, it appears as though the default behavior is to require cookies. This poses a slight inconvenience with people hitting the site with Mac OSX Safari as that browser is pretty strict and many visitors with Mac OSX don’t understand how to enable the function. Is there a way to disable the requirement for cookies so that no browser will be stopped from hitting the site?

You can see the application running at:

Any suggestions on making a seamless customer experience would be appreciated.


Vaadin uses cookies to track the user session, which is very central to its function. I don’t know if there are any technical reasons why it would not be possible to track sessions otherwise, the session key is already passed in every request. There is a
ticket for it

It might mean trouble for some features, such as opening new windows or refreshing the window.

There is a system message for complaining about disabled cookies. You should be able to customize it to give more detailed instructions.

There are workarounds for Safari and Internet Explorer not allowing to set cookies:
In Internet Explorer you need to specify a P3P policy and in Safari your initial request should HTTP POST to itself

String response = "<html><body><script>var cookieForm = document.createElement('form');cookieForm.method='post';document.body.appendChild(cookieForm);cookieForm.submit();</script></body></html>";
InputStream stream = new ByteArrayInputStream(response.getBytes());
return new DownloadStream(stream, "text/html", null);

What is the status of this issue ?
Is it possible to run a vaadin application in a browser with cookies disabled today?

At least the
mentioned above isn’t closed, so I’d assume not. Well, if you dare to compile Vaadin yourself, the patch in the ticket might do it, although I don’t know if it’s applicable anymore.

I see there’s even a (4-month old) pull request to make this change: +1 to getting it done. :slight_smile: Thanks!


Is this released ?

No. The feature involves rather important core functionality in Vaadin, so the core developers need to consider it carefully if there’s any problems. Unfortunately, they haven’t had the time yet, but it’s on their list, hopefully not too far.

Thank you for the quick answer!
Hope they will find a solution!

Looking forward to test it!

Hi all,

I already posted a similar issue (!/thread/14814387)

I have my Web app at which has the following features :

  • Push is enabled : @Push(transport=Transport.WEBSOCKET_XHR)
  • @PreserveOnRefresh

I need push since I have the Facebook oAuth for Facebook logins

If I try on with both Chrome and Firefox everything works fine
If I try with either Safari or Edge on, it says → Cookies Disabled. This application requires cookies to function
If I try Safari directly on my Eclipse IDE with Tomcat 7 it works fine (localhost or private IP) …

Been noodling around for hours with this one …

Halp !




ProxyPass / http://localhost:8080/
ProxyPassReverseCookiePath / /
ProxyPassReverseCookieDomain localhost