Some browsers (Firefox, Chrome) by design doesn't clean session cookies when you close them, if you set some kind of remember me switch (for example in FF go to Options->General->When Firefox starts->Show my windows and tabs from last time). It is a problem for our client (government agency...) while I do have absolute control over http server, I have no control over browser settings. The scenario is - they're used to share computer accounts, however they shouldn't be able to share web accounts - simply closing the browser should kill the session never mind the browser settings.
Is there an elegant way how to enforce that ?
Currently only solution that comes to my mind is some kind of dead man's switch (change cookies to live only for one minute (encrypted server side time stamp), and on every page have javascript "pinger" that will for 20 minutes ping every half minute some "prolong session" handler on the server (login session should be 20 minutes, sliding expiration).
You could try using HTML5s sessionStorage it lasts for the duration on the page session. A page session lasts for as long as the browser is open and survives over page reloads and restores. Opening a page in a new tab or window will cause a new session to be initiated.
sessionStorage.setItem("username", "John");
https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Storage#sessionStorage
Browser Compatibility
https://code.google.com/p/sessionstorage/
compatible with every A-grade browser, included iPhone or Android.
http://www.nczonline.net/blog/2009/07/21/introduction-to-sessionstorage/
In firefox a simple setup is require in order to prevent firefox to remember passwords when the browser closed:
enter to setup menu (top right)
select "options"
select "privacy" tab
change "history" from "remember history" to "use custom setting" or "never remember"
when "custom setting" is marked, change the cookies settings "keep until"
from "until expired" to "until I close firefox"
Related
In Firefox, enter Options > Privacy & Security > under "Enhanced Tracking Protection" click "Manage Exceptions"
There seems to be no way to add a domain or site to the list of excepted sites (currently the list appears to be empty).
I want to exclude a specific domain from having Tracking blocked (Google reCaptcha is not working and I think this is why). I don't want to just blindly allow all tracking, I want to only allow per site for better security.
I think I found it. In the Firefox address bar click on the Shield icon left of the URL, then click the Toggle for "Enhanced Tracking Protection is ON for this site":
If the site immediately you are trying to unblock redirects to a different site when it detects cookies are blocked, it's very difficult to create an exception. (since you can't stay on that site) In this case, just turn off cookie blocking altogether temporarily so you can visit the first site. Then you can create the exception and turn cookie blocking back on.
I am facing very interesting issue and I am not sure what can cause this. I am using SSO SAML for authentication to the system and IE11 as the browser to access the application. After some time (e.g. 5 min) the session terminates and it is renewed and it is a background process. Somehow only in IE, the session is not renewed until I maximize the browser and do some user action (after that it works). Other browsers are not affected and everything works in background properly. Do anyone know what can cause the issue in IE that the browser needs to user action?
I have a question about the default Laravel Remember Me option below the login form. I use the default built-in LoginController.
When I read the Laravel documentation, then I read about the Remember option:
"which will keep the user authenticated indefinitely, or until they
manually logout"
Ok. Now I do a test:
I uncheck the Remember Me checkbox, and I login. Then I close the browser. I open my browser and goto my app: I am still logged-in.
Then I select the checkbox Remember Me, log in, close browser, open browser: exactly the same result: I am still logged-in....
How is that possible? What is the difference?
If you use remember me, Laravel puts cookie with token that is used to log you in next time you visit the page (in case you are somehow logged out I will explain later).
Laravel by default uses session that is valid for 2 hours (you can set this up in config), so if you close your browser while logged in and then attempt to open same browser again in window of 2 hours server will not notice the change.
"Log out somehow"
well obviously by clicking logout in application
clearing up browser cache by browser itself or by 3rd party program
using different browser (this is just for clarification)
using incognito mode (this is just for clarification)
using different computer and browser without sync feature (this is for clarification)
To answer your question "whats the difference?":
If you use remember me, Laravel will set cookie with token that is used instead of credentials (name:password combination) while logging in, and the process is invisible for user.
If you do not use remember me, you can be signed in only for 2 hours (or whatever is set in config file) without action. The fact that browser keeps session information even after its closed is considered as feature of the browser).
I have a javascript popup that alerts users when their session is about to expire.
On the master page > page load - if the user is logged in I do registerClientStartupScript and call setTimeout(showPopup, time). So that this is in effect on all pages.
My question is.. if session timeout is set to 20 minutes for example, and my popup is set show at 19 minutes.. when the user clicks "back" or "forward" in their browser window - does the session get refreshed and the 20 minutes restarts? or does it continue counting up from where it was when you clicked back/foward?
If the latter, is there a way I can refresh session on back/forward?
Hopefully this makes sense, I appreciate any help!
I have no much nore information about javascript but other web farameworks like jsf php etc the session starts when user opened the browser and session terminateted when user closed the browser and I think generally session scobe is not depend on programming languages
Firefox has a feature to restore session cookies after restart (either after crash or if user has set "restore session" option) and that's causing a lot of problems (for example: Firefox session cookies).
However some sites, most notably Gmail, somehow don't have this problem. After it restores session Firefox won't sign you back in Gmail, you'll have to enter user/pass again. (although, I am not quite sure if Gmail uses session cookies at all)
Is there a way for server application "prevent" browser from restoring session cookies? Or is there some way to know that you are in restored session?
Ok, to answer my own question...
According to Can firefox restore a secure session after an add-on installation? and the page it links to http://kb.mozillazine.org/Browser.sessionstore.privacy_level there's a Firefox setting 'browser.sessionstore.privacy_level' which determines what FF session restores saves (can be 0, 1 or 2 - see second link).
Until FF4 it was default to store/restore only non-secure sessions (that's why GMail currently asks you to sign in again - they are using SSL/HTTPS), but in FF4 default setting will be to store ALL sessions - so even secure sessions will be restored by FF.