I'm creating a session cookie via JavaScipt. The cookie is being created successfully, and when I check in Chrome developer tools, I see the cookie with an "Expires-Max Age" value of 'Session'. When I close the application in the Chrome tab, or when I close the entire browser, and re-enter the application, the cookie is still there. How long does it take for the cookie to actually be removed? Or is there something else I need to do?
Related
I am working on a google chrome extension that takes-over control of Chrome's cookie management, and instead, my extension should manage the cookies.
What I did is the following:
at extension startup (after browser has started) it downloads from a cloud service cookies already stored for some URLs.
chrome.webNavigation.onCreatedNavigationTarget - here i establish (for given URL) if my extension will manage the cookies or not. If yes, I mark some internal variables to establish something like an "internal session". If I already have cloud-cookies for this URL, then I set them in the session variable, to be later used. If not, the session variable is simply initialized with blank data.
in chrome.webRequest.onBeforeRequest i do some checks if i have a session internally for given URL but nothing special here.
in chrome.webRequest.onBeforeSendHeaders - here is where i set the cookie header with what exists internally in the session variable (which is either something restored from cloud or the cookies received via set-cookie from the website)
in chrome.webRequest.onHeadersReceived i overwrite any already existing internal cookies (if any) with whatever new data was received from the website (via the set-cookie headers), so all future requests are updated
either when browser is idle or when the user closes the tab, cookies get uploaded to cloud-service, so later they can be restored.
Besides the above simplistic description that I mentioned, there's also a content script that runs from the extension's codespace, which injects and executes a javascript on the URL in order to override document.cookie setter and getter, in order to pass the cookies managed from background script to content area and viceversa (there's some communication between the 2 "channels", cookies get updated back and forth)
Things apparently work. I navigate to a URL, login with some credentials, cookies are handled/passed etc. I then close the tab, verify the cookies where sent to cloud-service, then restore the tab (via reopen previously closed tab) and test if navigation is still possible - and it is and is still managed by the background script, etc. Also verified by debugg inspector (navigated to application - storage - cookies) confirmed there are no cookies at all inside the browser. Even executing document.cookie from console, shows that there are some cookies being used, etc.
However, the last testing scenario, where i close the browser, reopen it... so it fetches the cookies again from the cloud service. At the point when I navigate again to URL-1, i see from my internal logging that:
the session has been created at step 2
at step 4 (onBeforeSendHeaders) cookies get added to request-headers like i expected, i then confirm this in Navigation-inspector by inspecting various requests to see if the cookies have been sent or not, etc.
But at the first onHeadersReceived i see that the cookies "have not been accepted" and they already been overwritten, like they never existed before... (obviously, I'm being asked again to login/etc) - totally not what I expected. It behaves like the request contained no cookies at all initially. (if then i login again... all navigation works great... all until i reopen the browser again).
What would you guys believe that could be the cause for this behavior?
I'm not an expert on how cookies get stored/passed/etc :(
I have a requirement to have only one active session per user in my application. Currently, I'm using sessionId and storing it in sessionStorage as well as in a database for the logged in user. Whenever the same user tries to log into the application from another tab or browser, I'm comparing the sessionId and also checking if the session is already active for that user or not using sessionId (I'm using Apache Shiro for session management), if yes, then they get redirected to invalid session page, otherwise if the session is invalid, the user can proceed with the login (clearing sessionId on logout action).
Now, I have one situation, when the user logs into the application and accidentally closes the browser or tab with active session or user PC gets restarted, then they cannot log into the application till the old session gets timed out (user session times out after 15 mins of inactivity). I want to allow user to login if active session tab gets closed accidentally. Is there any way I can handle this situation?
HttpSessions are not linked to tabs, they are browser scoped. If a user tries to login from an other tab, you known it has an active session within that browser. So in that case simply do not offer a login form.
If a tab is closed, you might have other tabs open which use the session, so it would not make sense to invalidate a session on closing a tab.
You cannot detect and act on a PC shutdown. So you will never get what you want to be bulletproof.
I would implement it like this: if a user tries to log on, and there is an "active" (recent) session in the database, warn the user that an active session is found and that continuing will invalidate the other session(s).
See also:
How can I load Java HttpSession from JSESSIONID?
Since you've tagged the question with PrimeFaces, you might want to check out p:idleMonitor. It can help you to invalidate inactive sessions from the client side.
See also:
Timeout via PrimeFaces p:idleMonitor
Primefaces Idle Monitor when multiple web pages are active in multiple Tab of Browser
The way we keep track of whether a user has a valid login is with a token in localStorage. However, when they close the browser and reopen it, this token still exists, and so they can still visit the site until it expires on its own. I have tried changing the token to a sessionStorage value, but it doesn't have the login token in a new tab. I've also looked at beforeunload, but that doesn't distinguish between closing a tab or window and a simple refresh.
Here is a list of things I want to happen and which storage method works for that:
When a user logs in, they can open new tabs and still access the site with the same token sharing across tabs. (localStorage)
When a user closes a tab, they can still access the site as well. (localStorage)
When a user refreshes a tab, they can still access the site. (localStorage)
When they close the browser, the token disappears. (sessionStorage)
If they re-open the browser, they must log in again. (sessionStorage)
How can I combine these two functionalities?
I am new to web development and I am trying to implement log in functionality. I have successfully implemented the log in functionality. When I open www.bla.com/login I am able to log in post which gets redirected to the homepage.
Problem: If open another tab and type: www.bla.com/login it again opens login page. Ideally if I am logged into one of the tab, I should be redirected to homepage irrespective the url being pointed to login page.
P.S: I am not sure what chunk of code I need to share here because I am not sure what causes this issue. Please help or let me know if I need to post my code base. I am using JavaScript and backbone as front end.
EDIT
I have a REST Service which gets hit when I login and REST service gives me back a User Specific Token. I use this user specific token to again call another Rest Service to fetch more user specific data.
So, basically I need to put a check on this token received. The token received I have stored in browser session. But when I go to another tab and try to access that token its NULL. So I am assuming every tab in browser does not share the session storage. If Yes, then where shall I place this Token so that if someone hits the login page I should check whether a token already exists. if exists then redirect to home page. Kindly guide.
It is hard to say without seeing your code, so let me make an educated guess:
Most likely you do not create cookie with some sessionId after user is successfully logged in.
This cookie would be then used in every request sent to the server, to prove that user is indeed authenticated.
When you open a new tab and there is no cookie/session created, than this new instance of application has no knowledge of the other instance, where user is already logged in.
You may want to look at this answer
EDIT
Maybe you are using sessionStorage instead of cookies. At least I would say so, when I read about behaviour of your app.
See the docs for session storage
The sessionStorage property allows you to access a session Storage
object. sessionStorage is similar to Window.localStorage, the only
difference is while data stored in localStorage has no expiration set,
data stored in sessionStorage gets cleared when the page session ends.
A page session lasts for as long as the browser is open and survives
over page reloads and restores. Opening a page in a new tab or window
will cause a new session to be initiated, which differs from how
session cookies work.
So make sure that you application store the token either in cookies or in localStorage. And also that it correctly reads from them. Maybe the cookies is created, but never read?
I need to display a popup to the user once per session. My thought was to create a session cookie by creating a cookie with no expiration date to track if the popup has already been displayed. These cookies should be removed when the browser is closed. I have since learned that Chrome has a "feature" where session cookies are not removed (Chrome doesn't delete session cookies).
I am not asking why the cookies aren't deleted in chrome. I am asking if there is a way to force chrome to remove the cookies or some other solution to only display a popup once per session.
You can maybe use sessionStorage to store your flag? http://www.w3schools.com/html/html5_webstorage.asp
Or is this information required to be sent to the server on every request?