Everyone knows browser closes session when window is closed... interested in this question to deep understanding how session cookie works.
I found around:
Session cookies are never written on the hard drive and they do not collect any information from the user's computer. Session cookies expire at the end of the user's browser session and can also become no longer accessible after the session has been inactive for a specified length of time, usually 20 minutes.
So, the question is - how long are sessions in common browsers - chrome, firefox, ie, opera?
The session is alive as long as the browser and the server think it's alive for - for the browser, that is typically as long as the browser is open (assuming no "remember me" functionality). But the webserver may discard the session data if it thinks the client has gone away. For many web servers, this is set to be 20 minutes sin ce the previous request on that session - this is not dependant on the vendor of the browser.
Related
I am currently implementing an "auto-login" mechanism in JSF, see
Cookie maxAge always -1
I have tested the following scenario:
A user logs in without "remember me", then directly closes the browser without clicking log-out (if click log-out, cookie's maxAge will be set to 0). Later, if the user loads the page again, in the filter, the cookie is present in the request (normal, because cookie maxAge is not changed to 0 when closing the browser), and the user is automatically logged-in, which is not what I want.
Is there a way to solve this? what is the relation between cookie and session? I use session scope. As what I know, session won't get destroyed when the browser is closed, it is up to the server's decision. Therefore, I can't use #PreDestroy. I can't use Jquery.unload neither, because a user can also close the tab only, not the browser. Also in my application, several tabs can be opened at the same time...
Any suggestions?
You seem to want the cookie live as long as the opened browser instance. I.e. you want the cookie to live as long as the browser session.
Just make it a session cookie by giving a max age of -1. The cookie will then live as long as the browser instance.
As to the relationship between HttpSession and cookies, head to How do servlets work? Instantiation, sessions, shared variables and multithreading. Key difference is that the HttpSession has also a server-managed timeout.
Question 1
My secure web application sets a session cookie for authenticated users which is not cleared even after I close my Chrome browser.
As a result, when a user tries to hit the dashboard page of my application after re-launching the browser (even restarting machine!), they are not asked to login again. Chrome is NOT set to "continue where I left off" which is also my next question.
I tested my bank's site under the same settings and it seems to force log out the user even when Network tab shows that same cookies are being retained (and sent with initial request header) for bank site as well. My server is Apache over SSL.
Can someone please point to some resource where I can handle this scenario because Chrome clearly is not clearing session cookie at the time of browser closing.
Question 2
Now with the setting "continue where I left off" where it basically persists your sessional cookies and practically you can remain authenticated forever, is there a way to override/work around this Chrome feature.
When I see even my supposedly secure bank site letting a browser bypass security like that, it kind of makes me unnerved. Any suggestions there?
Cheers!
What ended up fixing this issue for me was to uncheck the:
Continue running background apps when Google Chrome is closed
setting under the SYSTEM section.
Hope this helps save some headaches....
See update at end of question
In Rails 4 I understand that sessions are, by default, only supposed to exist for the browsing session. If you closed your browser, the sessions should no longer exist.
However, I'm not finding that to be the case. I have a Rails 4 app using all the defaults provided by Rails. I was working on some authentication code and ran into this problem.
When the user logs into the system, they have the option to "remember me" via a checkbox. When they check the box, the session should have an expiration of 2 weeks. The goal is that when the user logs into the system and closes his browser, he can then open the browser up again and use the app without having to authenticate again.
On the flip side, if the user does NOT want to check the "remember me" box and logs in to the app and closes the browser, when the browser opens again the user should be required to authenticate again because his session "expired" when the browser closed.
The problem is that my sessions never go away. I tested some simple code where on page 1 I set a session variable in the controller and then on page 2 I display that session. When I close the browser and go to page 2 (not page 1 so session is not set again), the session still exists as it did before.
I thought sessions were supposed to expire when the browser closed by default? I have also tried this with "cookies" instead of sessions and get the same result.
In short, how can I get a session/cookie that expires/dies when the user closes their browser? It doesn't seem very secure to me to have all sessions persist if the user doesn't want them to, and I'm not going to have my users delete their cookies everytime they close their browser (may be on a public computer where their login info should ONLY persist until they close the browser).
Update
I think I found what may be causing the problem. I'm using Chrome as my browser and I had it set to "remember where I left off" when the browser closes and opens. This seems to save all sessions/cookies. I verified this with Gmail as well. If you have the "remember where I left off" set, but don't set the remember me token in Gmail, Gmail opens right back up when you close/open browser. If you tell Chrome to open a new tab on open, then Gmail sends you to the login page like I expect.
So that solves one problem, but the overall problem still persists. How can I make this "secure"? Let's say you're at a public computer, and a malicious user sets the browser to "remember where I left off" when the browser opens. So you login to an app (such as Gmail) but don't check the "remember me" box. So when you close the browser you expect your login to be "secure". But if another user opens the browser back up, he's already logged into your app.
Is this something I can feasibly prevent? If Gmail has this flaw (with an army of very intelligent developers) should I be bothered that this situation exists?
The browser "remember where I left off" functionality was indeed the problem. Removing that option resulted in the "expected" behavior for my cookies/sessions.
If cookies are disabled in a browser, can we create a non persistent cookie which will get destroyed when the browser is closed?
go through below links, will clarify your doubts.
1) Session Cookies.
2) Persistent Cookies.
3) Managing Cookies.
4) Creating Session Cookies.
No. What the browsers do with your cookie is up to them. You can only offer them one, not dictate what they do with it.
My browser is set up to ask me if I want to accept cookies, and if I want to I can override their expiration to browser exit.
Persistent cookies are permanent cookies.They are stored as a text file in the hard disk of the computer.
Non-persistent cookies are stored in browser processor in temporarily. Its also called in memory cookies. Non-Persistent cookies are otherwise called as temporary cookies.They are active as long as the browser remains active.They are also called as session based cookies.Once the browser is closed the cookies vanishes automatically.
Non-persistent cookies are cookies in any way. So if cookies are disabled, it includes disabling all types of cookies i.e locking the browser out of writing any data to the main memory or the file system.
However if you wish to store session information you can use cookie less sessions, which obviously use the alternative of adding a session key to the address.
if I am logged in on my application but if i choose closing browser without clicking on logout how will be I logged out from server automatically?
Unless you have the user explicity log out, your server cannot know the user has closed their browser.
You can simply let sessions timeout naturally, for example, after ten minutes of inactivity.
Alternatively, you can add some js to the page to make regular pings back to the server to keep a session alive while the browser window is open.