Chrome and Firefox for Android don't seem to include cookies in the request to the manifest start_url when opening a Progressive Web App. My authentication system redirects the user to the login page. But as soon as the login page is refreshed, the user is redirected away from the login page because really they are already logged in.
Setting start_url to a different page that issues a 302 redirect back to the original page does not work either. However, a redirect using meta-refresh does successfully pass cookies to the page.
Can someone explain this behaviour?
Set SameSite cookie policy to lax
With SameSite=Strict the cookie will not be sent if you are visiting a link from a different web page, which is what happens when you open the PWA for the first time, and that's where SameSite=Lax comes in by allowing the cookie to be sent with these top-level navigations