Each time I log into Instagram, it shows that there are two sessions under Login Activity even though I've only logged in once and have only one session open in the browser? Is anyone else experiencing this? Been seeing this for the past few months.
It must have to do with session cookies. I would be storing a new session cookie instead of updating it and passing them both while validating your session. Although, I do not think this should pose a security threat unless these cookies are safe. You can verify that by inspecting the cookies passed by intercepting the requests either from the Network tab in the browser Developer Tools or by using a tool like Burp Suite or OWASP ZAP if you're looking for an open source alternative.
I have a website protected by basic auth, so when someone hits it, they get a standard username/password box. This website is accessed often from shared computers.
Is there any way to prevent the various "Remember my Credentials" functionality on browsers? I would like to prevent any browser from saving this username/password in any client-side repository.
I realize this is purely a function of the browser, but is there any commonly-accepted HTTP header or any other method of asking a website not to do this?
The answer is no. I'm really sorry but even if you could do this how would you stop an independent add-in from scraping web sites for username and password boxes and then storing that information.
Even if this were possible in code it could be easily circumvented by simply ignoring any directives you give. Thus rendering such headers pointless.
As stated before it is not possible to circumvent a browser feature it could easily save the credentials before it sent the POST thus stopping anything on the server from preventing it being cached.
Im creating an application and i want to know whether or not the browser will store the information in the fields if an error occurs so i can just send the browser back or should i store everything in a session and then place things back as they were with the session? I am developing my application in JSP and Servlets.
Thanks in Advance
Dean
Sometimes they do, but generally they don't -- you shouldn't rely on it.
Suppose I have a web app that I want to embed into any other site using an iframe. The iframe references my site and operates independently of the hosting web page.
Well, the browser considers the iframe to be a third party site, therefore its session cookie is considered a third party cookie. Some methods exist to make the browsers happy (e.g. P3P header), but it's still possible the user would have third party cookies disabled entirely. If so, then session cookies can't persist in an iframe.
What are good methods for persisting a session in an iframe on a third party site?
I have faced a similar problem you have here. There is a workaround (Will not work if your intention is to track user behavior across sites).
i. Place a first party persistent cookie on the domain where your iframe is to be hosted. (This can be done using JavaScript).
ii. Dynamically inject the iframe and pass across the value of the cookie to your site.
iii. If you intent to track user behavior across sites, modify the above code so that you use third party cookies when the browser allows, else switch you use the above approach.
I haven't come across any other way to work around this. If you find a more acceptable solution do let me know.
My intent is to track a session within the iframe, so that clicks and reloads maintain state. It's not necessary to link sessions between the iframe and the hosting site.
The best I could come up with is cookie-less sessions. It's a bit manual, but with this site running PHP, I just need to ensure the querystring always contains "PHPSESSID=x" and it'll automatically attach to that session id.
is there any solution how can i close the browser completely? I need this because I am using Single Sign On from other page and on that page it is written that only closing the browser will log out the user.
You can't close the users browser, but if you can identify the cookie which contains the session, you may be able to clear it. How you would do this depends on the language you are using.
In Javascript, you would have be operating on the same domain as the cookie you want to clear
var expired = new Date();
expired.setTime(mydate.getTime() - 86400);
document.cookie = "my_session_cookie_name=; expires=" + expired.toGMTString();
On the server-side, you can output headers to set or clear cookies. Depending on the users browser settings, you may be able to set cookies on 3rd party domains. Here's an example in PHP
setcookie ('my_session_cookie_name', '', time() - 86400);
//clear cookie for example.com
setcookie('my_session_cookie_name', '', time()-86400, '/', '.example.com');
No, you cannot.
that page it is written that only closing the browser will log out the user
If you could run JavaScript in the right domain (the Single Sign On server's domain), I bet that you can log the user out just by deleting the session cookie.
No you cannot force a user's browser to close without their permission.
Edit: Even though there are workarounds for some browsers, it is a bad practice and considered intrusive.
Atleast not in Firefox, otherwise it will be a big usability issue.
delete the cookies when you close the tab.
it's possible to close browser opened via javascript but since the user open the first browser it won't be possible to close all browsers.
your SSO should have some kind of logout function, it would be better. This function would clear the user cookies or clear the session on the server side.
If each SSO site is given its own cookie, you may need to log the user out of each SSO site individually. Hopefully each site has its own "log me out" URL and you can open a page with multiple iframes to each SSO site.
You can set them across domains, but
depending on the security settings in
the browser, they may be blocked, the
user may be prompted to confirm, or
they may be silently accepted. Here's
how you would configure Firefox to
block 3rd party cookies:
support.mozilla.com/en-US/kb/…
And how can I set them across domains?
Its very simple,
just add javascript
<td width="10%"><div align="center"><font color="#ffffff">Close</font></div></td>