I am building an extension which every time the browser opens asks user for a strong password. Its purpose is that it uses that password to derive and generate strong passwords for new websites upon registration and it tries to regenerate same passwords next time a user visits an already visited website.
I am using below method to store user's masterpassword(used for password generation) which is sensitive information:
window.sessionStorage.setItem(varName)
And I use below method to get it whenever it is needed.
sessionStorage.getItem(varName)
My problem is that I want this data which is stored in browsers data to be valid as long as Chrome open. This master password needs to be cleared every time user closes the browser and to be asked every time it gets reopened.
I read that session storage is temporary and it gets cleared but it does not work for my extension. I also know that there is nothing to add in order to detect browser getting closed as it stops running your script.
Can you please help me with it? Is there such method that keeps data for a short time?
Since Manifest V3 removed the notion of persistent background pages. You can imitate this with chrome.storage.local. The only caveat regarding this is that it stores the variable in the extensions local storage which is still okay for that user.
One way to imitate a browser closing is by creating a chrome.runtime.port that is opened and then when the browser closes or the extension gets reloaded it will call onDisconnect for that port, and you can clear your chrome.storage.local.clear():
chrome.runtime.onConnect.addListener(port => port.onDisconnect.addListener(() => chrome.storage.local.clear()))
When the browser is launched, just connect:
chrome.runtime.connect(null, {})
That might unload itself when background script goes back to sleep, unfortunately, the only way to get passed that is to keep your own managed extension window that pops up. But that might be overkill for user experience.
Related
I have created a chrome extension for generating passwords and outputting the phonetic version as well.
Basicly the extension creates the password and displays it in one DIV and the phonetic version in another, so if password was 'ac3', password DIV would show 'ac3' and phonetic DIV would show 'Alpha, Charley, Three'.
The problem is that as soon as I click outside the extension popup it disappears and I loose the current password.
My first attempt to sort this was to use chrome.storage.local.set after creating the password and then re-populating the password DIV via chrome.storage.local.get when you click on the extension again, this works great, but the data is available from any tab within the browser (even separate windows).
I understand that storing the password in any way is insecure, but wanted to find a way to limit the data stored to the current tab rather than globally.
I haven't found a way to keep the extension popup displayed to allow a user to copy/paste both DIVs.
Anyone got any pointers?
Also anyone able to point me in the direction of wiping the local storage value after a set amount of time? Just to make things slightly more secure.
This extension is used mainly for admin work, where you need to create a new password for a user, copy/paste it into a portal and then SMS/Email the password to the end user.
Data stored in chrome.storage is only available to your own extension, so it's not any less secure than any other way of storing it.
Just store it via chrome.storage.local.set() and then delete it a few minutes later, if unused. You'll have to set a deletion mechanism in background.js via chrome.runtime.sendMessage or chrome.alarms
I had also tried sessionStorage in the popup, but sadly it's lost as soon as the popup is closed. Same goes for history.replaceState.
When I enter user id and password in netsuite every time it asks me my security questions , how can I stop this happening every time. Other people in my team are not having similar issue so I wonder what needs to be changed in my settings
*Note: I am not having administrator role
NetSuite saves a cookie in your browser in order to recognize your machine and browser the next time you log on. If it does not find this cookie it will ask a security question. There are several conditions under which this can occur:
You log on using a different machine.
You use the same machine, but a different browser.
You use 'private browsing' or 'incognito' mode.
You use a browser extension or other program which automatically deletes your browser cache, or cookies, when you exit.
You have your browser itself set to empty cache on exit. E.G.: Chrome has a setting to "Keep local data only until you quit your browser"
Anything else that might interfere with cookies.
You'll need to check which of these apply to you and act accordingly. If you're still unsure what could be causing it, you could reset your browser to defaults, or install a completely new browser and test whether it still happens with that. You may need to disable or uninstall any browser extensions too.
I'm using this webmailer to check my private email:
https://webmailer.hosteurope.de/login.php
using FireFox as browser on several different computer systems.
However I have the problem with one of my computers:
Firefox IS saving the login data (login+password) but the next time I'm accessing the webmailer page this data is not used.
That means on this system I have to type my username+password everytime I
want to check my mails which is quite annoying.
Of course I've already tried the usual hints (Google was my friend) but the problem IS NOT that data is not saved! The problem is that saved login data is not used!
Any hints what my cause this problem?
ps: The misbehaving system is new and was configured with a preinstalled :-\ Win10 - all other systems are Win7. But I cannot imagine that this might be causing this behavior!? Firefox was manually installed by me on all systems. So no special settings that I applied.
Try going to Preferences -> Security -> Saved Logins... and check whether the correct domain name is stored. It could be that you saved the login information after you input them wrong. Sometimes when you input wrong username/password you get redirected to a separate page that informs you that you input the wrong credentials. This page sometimes has a login form. If you save the credentials when you are on that page they may only be filled on that page and not the main login page. For example, if you input wrong credentials on somedomain.com and get redirected to somedomain.com/wrong_password and save the credentials there, Firefox might only fill the form on the later page.
If this fails, try refreshing Firefox. Be careful to backup important data first. Usually they are restored automatically, but sometimes it fails. Instructions here: https://support.mozilla.org/t5/Procedures-to-diagnose-and-fix/Refresh-Firefox-reset-add-ons-and-settings/ta-p/23405
If everything fails, you can report it to Firefox at https://bugzilla.mozilla.org/
I have a webserver (Nodejs+express+ passport) that uses passport for local authentication. Does anyone know if there is some kind of callback occurring when user closes the browser tab? I would like to be able to detect this because I am trying to save logout time stamps for those users that do not explicitly logout (i.e. by clicking log out).
Thank you!
I would have asked you to check the questions on SO first, but I think is no way to do it the way you are trying. Well, check these links: how to run code on window close or refresh and how to detect it was close
Basically you can't. This is one of the reasons why many applications show 'last login time' and not logout time to users, see if that works for you.
Regarding saving the logout time of a user: I would say do not store the value at all. The sessions should be allowed to expire based on configuration: users can be logged out even by staying inactive a long time. A logout time for such users may calculated later, based on their last activity time, (which you can store on each page load/call to your server, when you refresh the user's session timer) and the session timeout value. Now this can be calculated when the user logs in the next time, or using a background process.
You can store the lastActivityDate of the user, and assume that a user is considered offline after xx minutes.
You can try to execute a ajax call on window unload, but if the user has two open pages, and he closed one, the data will be false. It is also not certain that the request reaches the server.
You can set a very short expiration time on your session, and while a page is open, do a ajax regular ping to keep the session open.
See update at end of question
In Rails 4 I understand that sessions are, by default, only supposed to exist for the browsing session. If you closed your browser, the sessions should no longer exist.
However, I'm not finding that to be the case. I have a Rails 4 app using all the defaults provided by Rails. I was working on some authentication code and ran into this problem.
When the user logs into the system, they have the option to "remember me" via a checkbox. When they check the box, the session should have an expiration of 2 weeks. The goal is that when the user logs into the system and closes his browser, he can then open the browser up again and use the app without having to authenticate again.
On the flip side, if the user does NOT want to check the "remember me" box and logs in to the app and closes the browser, when the browser opens again the user should be required to authenticate again because his session "expired" when the browser closed.
The problem is that my sessions never go away. I tested some simple code where on page 1 I set a session variable in the controller and then on page 2 I display that session. When I close the browser and go to page 2 (not page 1 so session is not set again), the session still exists as it did before.
I thought sessions were supposed to expire when the browser closed by default? I have also tried this with "cookies" instead of sessions and get the same result.
In short, how can I get a session/cookie that expires/dies when the user closes their browser? It doesn't seem very secure to me to have all sessions persist if the user doesn't want them to, and I'm not going to have my users delete their cookies everytime they close their browser (may be on a public computer where their login info should ONLY persist until they close the browser).
Update
I think I found what may be causing the problem. I'm using Chrome as my browser and I had it set to "remember where I left off" when the browser closes and opens. This seems to save all sessions/cookies. I verified this with Gmail as well. If you have the "remember where I left off" set, but don't set the remember me token in Gmail, Gmail opens right back up when you close/open browser. If you tell Chrome to open a new tab on open, then Gmail sends you to the login page like I expect.
So that solves one problem, but the overall problem still persists. How can I make this "secure"? Let's say you're at a public computer, and a malicious user sets the browser to "remember where I left off" when the browser opens. So you login to an app (such as Gmail) but don't check the "remember me" box. So when you close the browser you expect your login to be "secure". But if another user opens the browser back up, he's already logged into your app.
Is this something I can feasibly prevent? If Gmail has this flaw (with an army of very intelligent developers) should I be bothered that this situation exists?
The browser "remember where I left off" functionality was indeed the problem. Removing that option resulted in the "expected" behavior for my cookies/sessions.