I perform following javascript code in Opera javascript console
document.cookie='test=abc'
then I close all tabs one by one and then I close the browser.
After that when I open browser again cookie value test=abc is still in document.cookie variable.
I tried to reseach the problem and found this on official opera website http://help.opera.com/Windows/9.50/en/cookies.html:
If no expiration date is assigned to it, a cookie expires at the end of the session, when you exit the browser. A cookie that expires at end of session is called a session cookie.
It means that Opera should follow standart behavior with session cookies, but it doesn't.
Also I found this Firefox session cookies:
Firefox has a feature where you close Firefox and it offers to save all your tabs, and then you restore the browser and those tabs come back. That's called session restore. What I didn't realize is that it'll also restore all the session cookies for those pages too! It treats it like you had never closed the browser.
So, just in case, before closing the browser (Opera in my case) I closed all tabs one by one. But it didn't help too. Session cookie wasn't deleted.
Opera version: 17.0.1241.53;
Operation system: Windows 7 32-bit
The only thing that works is the manual block list, the manual clear on exit doesnt work either. Ofc the block all works, but that also shuts down the internet. You can also use extensions like privacy badger to control suspect cookies, but then again how secure are the extensions? Dont get me started on that. I am not paranoid, you however should be..
Related
I am facing the issue where I am unable to get the sessionID in Safari. I am unable to get the session id in my further calls in localhost as well as in https calls.
Below code I am using in my server.js. In Chrome and Firefox it is working fine. Problem is in Safari only. I am using cookie-session package of node.
Please help.
Boot.App.use(session({name: 'checkSession',keys: new Keygrip(['app-key-1'], 'SHA384', 'base64'),secure: false,httpOnly: true,domain: doc.Domain.ENV,maxAge: 31536000000}));
This is how i am creating a session
Boot.App.get('/set', function(req, res){req.session={checkSession:"user"};res.end(JSON.stringify("sessionSet"));});
But in further calls i am trying req.headers.cookie session id is coming undefined.
This has been a known issue with Safari browser. What essentially happens is that Safari disables third party cookies by default. One has to go to the browser and enable it, obivously on an enterprise application you can't ask your users to do that.
There were known workarounds for this using iframes, for eg -
Safari 3rd party cookie iframe trick no longer working?
But apple has since circumvented these too.
I am trying (for days) to make this work: I want to connect to a Media Servers using RTMPT netConnection. In order to reach that, I have to pass an authentication cookie along with my request. In Chrome and IE it works, but in Firefox it doesen't pass the auth_cookie.
When I look into logs I see the /open/1 request, but it has no cookie atached. Againg: in Chrome and IE it uses the cookie. The cookie doesn't have the HttpOnly flag.
Another weird scenario that I encountered is: Because it dosen't pass the cookie, the ApplicationServer wich holds the autentication, asks me for credentials. If I enter them it takes the cookie and works, and any subsequent connections work (firefox passes the auth_cookie along the /open/1 request); but if I delete all the cookies in browser (via CookieController-> Remove ALL cookies and DOM storage) the credentials are requested again (no cookie is passed).
Any sugestions? I've searched all the internet for a solution but I can't find anything...
SCENARIO:
I have a java web app running in the latest Tomcat 6. I also have a single servlet filter that provides authentication. I support BASIC auth and it appears to work fine - most of the time.
The first time a browser [pick any one - IE, FireFox, Opera, Safari, Chrome] hits one of our protected URL(s), it displays the standard browser-specific login prompt. IFF you enter the proper username/password - everything is fine, a new session is created, and everything operates normally.
IF, however, you entered invalid credentials in the initial BASIC auth dialog, my authentication filter logic handles this by returning another 401 response.
PROBLEM:
Unfortunately, at this point, Chrome is the only browser that will display another BASIC auth dialog. All other browsers listed automatically send the cached "Authorization: Basic.." header - instead of clearing it and prompting the user again.
If anyone has seen this or may know why this is happening, I would greatly appreciate any suggestions!
Thanks and Best Regards,
Bob
problem solved:
After looking over my code again, I found a point where a 401 was being returned without also setting the WWW-Authenticate HEADER.
-bob
I am interested to see what people are storing in my session and cookies when I visit websites. Is there any way to see what's in there between request and when I'm on pages in Safari, Chrome, or Firefox?
In Firefox you can use among others Firebug to check the cookies being sent forth and back. Check the Net panel for complete request and response headers. The cookies are present as Set-Cookie response header whenever the session starts and as Cookie request header on all subsequent requests in the same session.
Here's a screenshot of the transferred headers when requesting this topic:
(note that I removed the user cookie value from the screenshot, else someone else would be able to copy it and login as myself)
You cannot check in the client side in any way what's been stored in the server side session since that's usually not exposed in the cookie values. Only the session identifier is stored as cookie value. You can at highest make some guesses based on the behaviour of the website across the requests.
I am not sure how to put it as it sounds weird, but IE8 seems to be dropping sessions. I am talking about sessions in the server, HTTP sessions.
I know that a browser does not as such have to do anything with the HTTP session in the application server, but it seems when I request the server to fetch something I previously stored in the session, it returns a "null".
I go...
session.setAttribute(YGConstants.SEARCH_STRING, searchString);
and then I say
session.getAttribute(YGConstants.SEARCH_STRING);
I get a "null".
Is this a known issue? Am I missing something specific to IE8 or have I not "Googled" enough?
When I use any of the Firefox, Chrome, IE6, IE7 and Opera browsers it all works fine.
I know that a browser does not as such have to do anything with the HTTP session in the Application server
Sure it does: it sends the cookie to the server that the server uses to keep track of the server-side session state.
Use Fiddler (www.fiddler2.com) to monitor your requests and ensure that the session cookie is being reliably sent.
In case it has something to do with your case, we had the same problem, but not on all servers. We eventually found that the problems were only when on the server whose name had an underscore ("_") character in it. Removing the underscore from the domain name solved the problem.