Why Doesn't Closing A Tab Delete A Session Cookie? - session

I'm using session-based cookies with my website. To my complete surprise, I noticed if I set a session cookie (not a persistent cookie), close a tab, and then reconnect to the site, the session cookies are still there. That's not what I would have expected, actually. I would have expected the session cookies to be deleted.
If you close the browser, a session cookie is deleted, so why not closing a tab to have the same result?
Therefore, I'm using PHP5 and jQuery. Is there anything I can do such that when a tab is closed I can fix this session issue? Unfortunately the onbeforeunload event on the BODY tag is not useful here because when you click away from a page it fires that event, not just closing a tab.

The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site.
I'm not aware off hand of any real way around this.

This is by design and trying to change it is a very bad idea. What if a user opens a link in a new tab and closes that? Should the session in the original tab be destroyed? Of course not! This demonstrates why you should not even think about this.
A session ends when the last browser window closes. If you want something else, you:
do not want sessions;
need to make your own "mini-session" infrastructure;
are probably in for a world of hurt and bugs.

Session web storage can be used instead of cookies if you need to depend on tab closure.

You can also write a javascript that detects when a tab is closed and delete the cookie in the javascript

I found a work around.
I'm working in ASP.NET C#. I have a Master Page for all the pages of the site except for the Login page. In the Master Page Sever Page Load event I get the Url of the referring page and check if it contains the root of the the site, if not I redirect to the Login page and since it doesn't have that Master Page it displays.
This works if I try to get to a page from another site or if I enter the Url to the address box of the browser. So if you close the tab and you try to reenter from another tab or reopen the tab, even tho the cookie hasn't been killed you can't reenter the site without going thru Login. This works also even if you haven't closed the tab and your navigating between different sites in the same tab.
This is the code
if (Request.UrlReferrer == null || !Request.UrlReferrer.AbsoluteUri.ToString().Contains("root"))
{
Response.Redirect("~/Account/Login.aspx");
}
When navigating from within the site there's no problem even if you open a link to another page in the site to another tab it opens.
If you want to be additionally sure you can kill the session and authentication cookie in that if clause before redircting to the Login page.
This won't work when a user navigated to another site in the same tab and presses the browsers back to button because that works on cache and doesn't automatically send a request to the server.
So this doesn't kill the session or authentication cookie on closing the tab, but it can help prevent reentering the site without logging in after closing the tab.

Related

Session gets overridden on opening a new tab in IE in mvc

I have a home page url http://localhost:3443/home1
In the index action of home1 I am having a session["Home"]=Home1.
I am having another home page url http://localhost:3443/home2
There i have a session session["Home"]=Home2.
Now the context is for some user the landing page is home1. So if they click on home button on the menu or or do any such activity they should land into home1.
For another set of users they should land into home 2 for whatever activity they do which leads to the home page.
Now the menu.it is a ascx control
Here we are checking the session value is home1 or home2.
Based on that we are redirecting the user to the desired landing page.
Now the problem that I am facing is when we copy
http://localhost:3443/home1 to another tab e.g. tab2 and from there we change it into home2 and then do some activity. And then come back to tab1, what happens the value gets overridden it taken the home2 session. Which leads to the wrong landing page on click of home link in the menu. Do you have any solutions for this problem?
I hope i have correctly explained the problem if not please let me know,I will explain further.
Session is for the connection which will include both tabs (for example why you can login to stackoverflow on one tab and then if you open a second tab you are still logged in)
As #Skuld mentioned, the session is for user connection to the site so if the user goes to another page he or she is allowed to go they can open this in a new tab keeping the original tab open, if these are form pages you might want to look at 14 AntiForgeryToken. also i noticed you said this happens in IE does this also happen in Chrome? if so you might want to look to see if IE is excepting cookies. you can add roles to the session and then authorize those roles to home1 or home 2 from your controller, you should be authorizing users and roles to pages in your code not within your session. its hard to help any more without any code to look at.
Hope this gets you on the right track.

parameters lost when open new window in C#

I develop a site where certain pages a user can only access when he is logged in.
For certain requests I would be better when I open new window. Mostly I use the session to store data including the user data.
To open a new window I use:
ScriptManager.RegisterStartupScript(this, typeof(string), "OpenWindow",
"window.open( '~/smsftd1', null,'height=400,width=600, status=yes,
toolbar=no, menubar=no,location=no' );", true);
It opens the window and it looks how I want it and how it should behave. The only downside is that all data I have saved with the session variables are gone.
If I redirect in the same pages or even open a new tab it works fine and all session variables are available.
When I search for the issue it was pointed out it is an IE issue (older versions). I changed the settings in the IE browser settings but it did not help.
The main issue is that I loose the authorisation the user made.
At the moment I removed to opening of a new window and just redirect.
If someone has done this I wish to know so I can organise a better flow.
The only option I could think of is storing data in a cookie instead of the session.
Any feedback please?
There is no direct answer, but you can check with fiddler or trash tool in firefox.
Please increase your session timeout.
Also check in global.aspx, that there is no event call when new window open.
The best thing is fiddler to check where you all history show about what are the cookie/session variable, link to redirect etc.
Please this link before doing anything.
After a few window.open calls my ASP.NET session times out
http://bytes.com/topic/asp-net/answers/287080-session-variable-window-open
Keeping ASP.NET Session Open / Alive
Add in web.config and try(reference from above link)
"<httpHandlers>
<add verb="GET,HEAD" path="SessionHeartbeat.ashx" validate="false" type="SessionHeartbeatHttpHandler"/></httpHandlers>"

Classic ASP Logout Process

I'm working on a web application developed classic asp. It has logout button on the top menu which basically does the following actions
Session.Abandon()
Redirect to Index.asp, where users can login again.
After logging off users return to index.asp. But if users click back button the browser, they go to previous page. I don't want this to happen. I want a message saying that they are already logged off.I have implemented following steps
1.Add Response.Expires=-1 and Response.CacheControl="no-cache" at the top of each page.
2.On each page i'm checking session object to see it is not empty. If empty i'm creating a message saying that they are already logged off and need to log in again.
Now when users click back button after logging off, instead off showing logged out message, i get "Web page expired" message on IE8. I see the same behavior when users click back button on some page while logged in.
Any ideas how i can implement this better.
Thanks.
You can't stop users pressing back. A common scenario to work around this is that POSTs target a server page that displays no output but redirects to a new location instead (where the results can be seen).
There are additional non caching declarations that sometimes help:
Response.Expires = 0
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
I did read some time ago (hence inability to find link) that setting an expires to -1 can cause some browser to ignore it rather than have it expire immediately.
Even adding these extra cache controls won't stop some browsers from caching some things some of the time. FF quite often ignores a forced cache reload by the user, so you are in the browser makes hands to a certain extent.
Regarding your "Web page expired" message, this is (as mentioned) the result of the browser trying to stop you from resubmitting POST data (and potentially duplicating what you last did). The best way to get around this, and solve a number of other common UI issues on forms is to POST back to the same page, then if/when the action is completed, using a response.redirect to the same page, maybe with a URL encoded message to say "all done successfully". This allows your users to refresh and helps with the back button issue as most browsers now don't store properly redirected pages in their history.

What will happend to a session if user try to copy the address bar to a new IE window?

suppose one user logins to a web site and start navigating its pages.
For a specific page, he copies page address and pastes it to a new IE window address bar.
Now, what happens to his session? Does it duplicates? or what?
No, AFAIK, the SESSION cookie gets sent to the browser (the application as a whole, not the window). Each window references the same cookie information held by the browser (IE).
An oversimplified example:
Think of it as a database and a script. The database houses a bunch of information, which can be read by many scripts. That information is still housed in one place even though every script can do something with it.
The session cookie would be the database and the browser window the script.
I think it goes like this:
If the "new window" is opened with Ctrl-N in the first window, the same session exists in the "new window".
If the "new window" is opened by double-clicking on the IE icon, the first window's session doesn't come along for the ride.
Independent of the browser a new window or tab of the same browser uses the same session. Only another process will have a different session. For example copy the address to another browser like Firefox, and you will get a new session.
Opening a new window within the same browser is no different from the server's point of view than reloading the page in the current window. The session is the same and the server merely issues a response to the request. However if there were any POSTed fields in the original page request (for example, the user had performed some actions) these will not be sent with the new request.
Sessions are created and destroyed by the web browser on the server. So sessions are unique for each browser. That is no need to re-generate when using the same browser (if not log out)and need to re-generate when using a different browser from the first one. Therefore if copying the URL to the same browser before closing the current window, then it is same as the earlier session. But not if copying to a different browser, and in this case you will ask to log in again.
However if you have set the session to be closed when window is closed, then closing the browser will close the session and but closing the tab will not close the session because server keeps that browser is still live and then keep the session live.

Web page expired message in browser

I am implementing a web application using ASP .Net and C#. One of the pages has a requirement that it always needs to be fetched from the server, rather than from the local browser cache. I have been able to achieve this.
We have a back button in the application, which simply invokes javascript:history.back() method. The problem is that when the back button is clicked to navigate to the page which is always to be reloaded from the server, the browser displays a "Web page expired message".
The intent here is to force the browser to reload the page rather than display the web page expired message.
Any help would be highly appreciated. Thanks a ton in advance.
You will probably need to change the implementation to make the browser load the URL explicitly:
window.location.href = 'http://....';
instead of invoking the back button, since the intention of the back button is to get the last page from the cache.
(If browsers would not act that way, they would re-send your form data multiple times when using the back button during a registration process or similar.)
You mean you want to control browser behaviour, which is not possible. I doubt you can solve it that way. You could set the expiration time to a small value (1 minute perhaps?) so that the page is still valid if one navigates back quickly.

Resources