The behaviour of sessionStorage has been documented as it clears when the tab closes. However, in my practice, IE 11(Edge) in my client company clears sessionStorage when user navigates away within the tab (yes, the same tab is still open).
With firefox and chrome, my web app's user can freely navigates away and navigates back, and the data in session storage was kept. But with IE 11(Edge), my user cannot do so.
I checked Microsoft's page on session storage and it reads:
The sessionStorage attribute of the window object maintains key/value pairs for all pages loaded during the lifetime of a single tab (for the duration of the top-level browsing context)
My question is:
Is this a common behaviour of IE's session storage? session storage get cleared if the user navigates away from your domain, whereas other browsers stick to the closure of the browser tab.
Thanks
This might be related to Zone policies in IE/Edge;
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13861050/
Session Storage and InPrivate Local Storage is dropped when redirecting across zones. For example, if as a part of your redirection chain you redirect from the intranet to internet, Microsoft Edge will not retrieve the expected session storage data. This issue also exists for local storage in InPrivate mode.
Related
I have the following case in a web application of mine. The usual browser that the user uses is Chrome.
I use digital certificates that users have cryptographic cards that they insert into a card reader.
To log in to the application, basically users access the https link that makes the certificate data read.
So far everything works fine.
If the user to end his session of the application closes the browser, there is no problem. Everything is over.
But if the user wants to leave his application session, without closing all browser windows, here are my problems.
There is a button that closes the session of the application, the user leaves and redirects to the initial login screen. It seems that everything has been reset, because the user has left. But when the new user wants to log in and press the link to read the certificate data, instead of doing a new reading of the new card, use the data from the previous card without just asking for the pin to access it.
The problem goes further, for example, if the user has forgotten the card, the card and tries to logarize, the failure to read the certificate. But now, although inserted correctly, the card will not be read again until the browser is restarted, which maintains a cache that does not have a certificate.
At the moment only the solution was found by closing all Chrome windows, but that depends on whether the user does or not.
A partial solution would be sure to close the browser with javascript () but for some time, it can not be closed with javascript (window.close ()), a window that can not be opened from the site itself, with what is available I think it's ruled out
Can someone contribute to me? Thank you
Chrome and the rest of browsers maintain a cache of the SSL authentications performed and decide when to prompt user for selecting a certificate. There is no "logout" function neither the connection can be closed from server side due to TLS resumption protocol ( client can resume the session)
This a common and known issue when defining an authentication system using client certificates. I only have found a workaround: use different domains to force browser to choose a certificate:
login.domain.com
-->login1.domain.com
-->login2.domain.com
-->loginN.domain.com
You have a virtual authentication URL login.domain.com which redirects user's browser to a random loginN.domain.com every time you need an authentication. Chrome will detect that it is a different domain and will prompt user for selecting a certificate
You could also think about using different ports instead of different DNS, but then you could have problems with the user's firewall because you are not using a standard port, and in this case Firefox does not show the window either.
I don't like how I am tracked by Facebook. To delete Facebook cookies from the Chrome browser, I need at least seven mouse clicks. Is there a way to write a script to delete all cookies, local storage, session variables, database storage, etc in Chrome from all sites with name containing *facebook*?
I was under the impression that Chrome in Incognito Mode wouldn't accept or send cookies, since they could be used to identify you. When starting up Incognito Mode, I do have to re-log-in to gmail, etc. But the log-in stays active during the session.
So it seems to me that Incognito Mode maintains a separate, temporary store of cookies which get destroyed when you exit incognito mode. Does this mean that, if you browse in Incognito Mode all the time, it would have no benefit? Does Incognito Mode do anything else?
It essentially sets the cache path to a temporary folder. Cookies are still used, but everything starts "fresh" when the incognito window is launched. This applies all storage, including Cookies, Local Storage, Web SQL, IndexedDB, cache, etc.
Of course Chrome also leaves pages out of the browser's history.
As a developer, it is also interesting to note that Incognito DOES NOT create a separate data partition for each window or tab.
All windows and tabs share access to the same cookies, so you can't create separate tabs to simultaneously log in as different users to one system that uses cookies to transmit authentication info.
Based on this, you still need to use a different browser to test this scenario.
Just an important privacy note on #Jared Dykstra answer and #Mark comment.
but everything starts "fresh" when the incognito window is launched.
This applies all storage, including Cookies
Not 100% true
Today I opened a new fresh chrome incognito window and requested youtube.com . but I surprisingly found that youtube is recommending some videos to me!!! How? based on what ? I'm supposed to be a very new client with fresh browser - I noticed the recommended videos was based on the videos I usually watch while signed in to my google account from chrome or firefox -
After investing the cookies I was shocked that chrome is sending these cookies to youtube.com along with the very first request send to youtube.com from a new freshly opened incognito window.
GPS
PREF
VISITOR_INFO1_LIVE
YSC
I guess youtube.com servers used these cookies to know who I'm and recommend videos for me based on them.
I checked Firefox and it does not do that, it starts the private windows with 100% empty cookies header!
Chrome's incognito mode sets the cache to a temporary folder. When you close the browser window the folder is deleted. So all your history, logins, and downloads are forgotten.
Incognito does not stop sites from keeping information about your visit nor does it hide the browsing from people using a tool like Wireshark to see what you are viewing.
The accepted answer is great. Just adding a note that Chrome has a setting to block third-party cookies while in incognito mode. See the description of the feature released May 19, 2020 in Chrome 83.
Block third-party cookies in Incognito mode (Computer)
You can now block third-party cookies from ads and images on pages you visit in regular mode and in Incognito mode.
And more from the product team:
In addition to deleting cookies every time you close the browser window in Incognito, we will also start blocking third-party cookies by default within each Incognito session and include a prominent control on the New Tab Page. You can allow third-party cookies for specific sites by clicking the “eye” icon in the address bar. This feature will gradually roll out, starting on desktop operating systems and on Android.
If you don’t want Google Chrome to save a record of what you visit and download, you can browse the web in incognito mode.
A detailed link of what Chrome itself says
https://support.google.com/chrome/answer/95464?hl=en
SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. Based on several articles, including this one, you can force SharePoint to use session cookies by the following PowerShell command. I ran this command in my SharePoint environment.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
My goal is to make a user re-authenticate when they close and re-open their browser. For both Forms Authenticated users and Windows Authenticated users, this works great in Firefox and IE. However, in Google Chrome, when I close/re-open the browser and navigate to my SharePoint site, it remembers the user that I was authenticated as before I closed my browser; which is baffling, considering this is supposed to be a Session cookie. This happens for both Forms Authenticated users, and Windows authenticated users.
FedAuth Session cookie, given by SharePoint, as seen in Chrome
Any ideas why Google Chrome (but not IE or FF) is "remembering" my credentials upon browser close/open?
SharePoint Version: 2013, on-premise.
Chrome Version: 42.0.2311.152
Other Notes:
WindowsTokenLifetime is set to it's default value, 10hrs
FormsTokenLifetime is set to 2 minutes
LogonTokenCacheExpirationWindow is set to 1 minute
Update:
I tried closing all identifiable Chrome.exe processes via Taskmgr, but the next time I opened my browser, it still remembered me. However, I restarted my computer, opened the browser, and it didn't remember me that time. I don't think this is a SharePoint issue, but rather a Chrome issue. My guess is that some Chrome process is staying alive somewhere, even though it appears to be closed, thus allowing the "Session" to remain open. Still investigating...
Apparently, when you let Chrome run in the background, the Session cookies aren't expired (even though you've closed the browser). Disabling background mode causes Chrome to forget your Session cookie, as it should.
Note: I'm curious if this a bug in Chrome. This behavior seems to go against what a Session cookie is.
a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed
Update:
According to Google, this is expected behavior (though I'd consider that notion debatable). Also, another SO user also came across the same issue.
sessionStorage is great for easily and quickly saving session-related data for the lifetime of a web page session. However, when a browser tab is closed, but then re-opened by anybody with access to the "Recent Tabs" section of a browser, they can once again access the session data.
Is there any way to flag some session storage data as "not to be saved when the tab is restored" or should I try something else? For example, will a session cookie perform more safely in this instance?
Use a Session Cookie. If you do not set the Expires or Max-Age attributes, the browser is instructed to delete the cookie once the browser has been closed. However, this only works once the entire browser window has been closed.
Cookies are scoped to the entire browser, not to individual tabs. If the browser has been closed, and then the tab is restored from history, a Session Cookie will be gone. If a tab is closed and re-opened with the browser not being closed, your session cookie will persist.
Update: The Firefox "restore session" and Chrome "Continue where I left off" features pretty much ignore the spec (RFC-2109). Bear that in mind and use at your own risk.