sessionStorage is great for easily and quickly saving session-related data for the lifetime of a web page session. However, when a browser tab is closed, but then re-opened by anybody with access to the "Recent Tabs" section of a browser, they can once again access the session data.
Is there any way to flag some session storage data as "not to be saved when the tab is restored" or should I try something else? For example, will a session cookie perform more safely in this instance?
Use a Session Cookie. If you do not set the Expires or Max-Age attributes, the browser is instructed to delete the cookie once the browser has been closed. However, this only works once the entire browser window has been closed.
Cookies are scoped to the entire browser, not to individual tabs. If the browser has been closed, and then the tab is restored from history, a Session Cookie will be gone. If a tab is closed and re-opened with the browser not being closed, your session cookie will persist.
Update: The Firefox "restore session" and Chrome "Continue where I left off" features pretty much ignore the spec (RFC-2109). Bear that in mind and use at your own risk.
Related
I have set a cookie from an api and returned it as a response. But the latest version of chrome beta is not letting me to store the cookie. I have also set the SameSite="None" and Secure for considering third party cookies. But this is not getting stored.
Check chrome://settings/content/cookies. You want to ensure that:
"Allow sites to save and read cookie data (recommended)" is enabled
"Block third-party cookies" is disabled
Check the other settings there to ensure that the site is not on the "Block" list.
You should also check that you don't have any extensions that are affecting cookie behaviour. A quick way of generally testing this is to try in Incognito Mode or by creating a new Chrome profile.
The behaviour of sessionStorage has been documented as it clears when the tab closes. However, in my practice, IE 11(Edge) in my client company clears sessionStorage when user navigates away within the tab (yes, the same tab is still open).
With firefox and chrome, my web app's user can freely navigates away and navigates back, and the data in session storage was kept. But with IE 11(Edge), my user cannot do so.
I checked Microsoft's page on session storage and it reads:
The sessionStorage attribute of the window object maintains key/value pairs for all pages loaded during the lifetime of a single tab (for the duration of the top-level browsing context)
My question is:
Is this a common behaviour of IE's session storage? session storage get cleared if the user navigates away from your domain, whereas other browsers stick to the closure of the browser tab.
Thanks
This might be related to Zone policies in IE/Edge;
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13861050/
Session Storage and InPrivate Local Storage is dropped when redirecting across zones. For example, if as a part of your redirection chain you redirect from the intranet to internet, Microsoft Edge will not retrieve the expected session storage data. This issue also exists for local storage in InPrivate mode.
For development/debug purpose, instead of disable chrome from reopening tab of previous session (and therefore retained session cookie), close chrome and reopen, or manually look for that session cookie in dev tool and delete it. I want to be able to delete session cookies ONLY on chrome without deleting other cookies (preferentially only the session cookie for site in current tab), technically simulate the browser has closed and reopen to the same page again.
is such function exist in dev tool or extension to do just that?
Since you need this clearing method specifically for one browser may I suggest the use of a bookmark script?
I wrote this little script that will prompt you for the cookie's name and then delete it. Create a new bookmark in Chrome and add the code below as the URL:
javascript:(function(){var cName=prompt("Enter the name of the cookie to delete.");if( typeof(cName) == 'undefined' ) return; document.cookie = cName +"=;domain="+ (document.location.host).replace('http://', '').replace('www','') + ";path=/;expires=Thu, 01 Jan 2001 00:00:00 GMT";})()
Do note that while the script works immediately upon clicking it, if the cookies tab was your active console tab while running the script you will need to switch to another tab and return to the cookies tab to see the visual representation of the cookie being deleted.
If you intend to use this script to delete one specific cookie in one specific environment you can hard-code the cookie name and location, thus minimizing the required code even further and removing the user interaction element. And as an added bonus if you have a Google account this bookmark will carry over to any device you have that is connected to it.
I was under the impression that Chrome in Incognito Mode wouldn't accept or send cookies, since they could be used to identify you. When starting up Incognito Mode, I do have to re-log-in to gmail, etc. But the log-in stays active during the session.
So it seems to me that Incognito Mode maintains a separate, temporary store of cookies which get destroyed when you exit incognito mode. Does this mean that, if you browse in Incognito Mode all the time, it would have no benefit? Does Incognito Mode do anything else?
It essentially sets the cache path to a temporary folder. Cookies are still used, but everything starts "fresh" when the incognito window is launched. This applies all storage, including Cookies, Local Storage, Web SQL, IndexedDB, cache, etc.
Of course Chrome also leaves pages out of the browser's history.
As a developer, it is also interesting to note that Incognito DOES NOT create a separate data partition for each window or tab.
All windows and tabs share access to the same cookies, so you can't create separate tabs to simultaneously log in as different users to one system that uses cookies to transmit authentication info.
Based on this, you still need to use a different browser to test this scenario.
Just an important privacy note on #Jared Dykstra answer and #Mark comment.
but everything starts "fresh" when the incognito window is launched.
This applies all storage, including Cookies
Not 100% true
Today I opened a new fresh chrome incognito window and requested youtube.com . but I surprisingly found that youtube is recommending some videos to me!!! How? based on what ? I'm supposed to be a very new client with fresh browser - I noticed the recommended videos was based on the videos I usually watch while signed in to my google account from chrome or firefox -
After investing the cookies I was shocked that chrome is sending these cookies to youtube.com along with the very first request send to youtube.com from a new freshly opened incognito window.
GPS
PREF
VISITOR_INFO1_LIVE
YSC
I guess youtube.com servers used these cookies to know who I'm and recommend videos for me based on them.
I checked Firefox and it does not do that, it starts the private windows with 100% empty cookies header!
Chrome's incognito mode sets the cache to a temporary folder. When you close the browser window the folder is deleted. So all your history, logins, and downloads are forgotten.
Incognito does not stop sites from keeping information about your visit nor does it hide the browsing from people using a tool like Wireshark to see what you are viewing.
The accepted answer is great. Just adding a note that Chrome has a setting to block third-party cookies while in incognito mode. See the description of the feature released May 19, 2020 in Chrome 83.
Block third-party cookies in Incognito mode (Computer)
You can now block third-party cookies from ads and images on pages you visit in regular mode and in Incognito mode.
And more from the product team:
In addition to deleting cookies every time you close the browser window in Incognito, we will also start blocking third-party cookies by default within each Incognito session and include a prominent control on the New Tab Page. You can allow third-party cookies for specific sites by clicking the “eye” icon in the address bar. This feature will gradually roll out, starting on desktop operating systems and on Android.
If you don’t want Google Chrome to save a record of what you visit and download, you can browse the web in incognito mode.
A detailed link of what Chrome itself says
https://support.google.com/chrome/answer/95464?hl=en
SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. Based on several articles, including this one, you can force SharePoint to use session cookies by the following PowerShell command. I ran this command in my SharePoint environment.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
My goal is to make a user re-authenticate when they close and re-open their browser. For both Forms Authenticated users and Windows Authenticated users, this works great in Firefox and IE. However, in Google Chrome, when I close/re-open the browser and navigate to my SharePoint site, it remembers the user that I was authenticated as before I closed my browser; which is baffling, considering this is supposed to be a Session cookie. This happens for both Forms Authenticated users, and Windows authenticated users.
FedAuth Session cookie, given by SharePoint, as seen in Chrome
Any ideas why Google Chrome (but not IE or FF) is "remembering" my credentials upon browser close/open?
SharePoint Version: 2013, on-premise.
Chrome Version: 42.0.2311.152
Other Notes:
WindowsTokenLifetime is set to it's default value, 10hrs
FormsTokenLifetime is set to 2 minutes
LogonTokenCacheExpirationWindow is set to 1 minute
Update:
I tried closing all identifiable Chrome.exe processes via Taskmgr, but the next time I opened my browser, it still remembered me. However, I restarted my computer, opened the browser, and it didn't remember me that time. I don't think this is a SharePoint issue, but rather a Chrome issue. My guess is that some Chrome process is staying alive somewhere, even though it appears to be closed, thus allowing the "Session" to remain open. Still investigating...
Apparently, when you let Chrome run in the background, the Session cookies aren't expired (even though you've closed the browser). Disabling background mode causes Chrome to forget your Session cookie, as it should.
Note: I'm curious if this a bug in Chrome. This behavior seems to go against what a Session cookie is.
a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed
Update:
According to Google, this is expected behavior (though I'd consider that notion debatable). Also, another SO user also came across the same issue.