Reputation: 21
Chrome App does not remove session cookies (JSessionId) unless all instances are closed
I see a serious design issue with how chrome apps are closed and how JSession or other http cookies are maintained.
In our current Chrome App, we are hitting a Restful site (Site B) to fetch some information after authentication. Site B returns the Http only JSESSIONID cookie in the response.
Now there is no way that I can simple logout or reload or close=>open the Chrome App and use a different authentication to access Site B, because Chrome App sends the same JSESSIONID again which is received during previous authentication. More worse even if I pass authentication header with wrong userid/password, that is also allowed because as per the Java Spec JSessionId is given the preference over the authentication header.
There is no way in Chrome App that I can delete this Http only JSessionID or restrict the Ajax call (XHR request) to avoid sending the JSession Id. Even if you pass a wrong JSESSIONID with the URL, that does not work because as per the Java Spec, the JSESSIONID from the cookie is given precedence over the one in the URL.
Even If I considered all the above behaviour is per the Java Specs, then at least one would expect that the session cookies are automatically deleted when the Chrome App is close or reloaded. But it seems that the session cookies are not deleted because the corresponding chrome.exe instance is still running in the background. Once you close all the chrome browser instances and/or manually kill all the chrome instances from the Task Manager and reload the app, only then it works because now the session cookies are removed.
Can someone help me find out the chrome app APIs or settings which
1) remove the session cookies when the Chrome app is closed and reloaded.
2) kill the chrome.exe instance when the Chrome app is closed.
I am not looking for any kind of manual process.
Thanks in advance. Kanchan
Upvotes: 2
Views: 1192
Answers (1)
Reputation: 77531
I'm afraid you're hitting something that's known to be missing from Chrome Apps platform.
Namely, there are no methods for managing cookies for XHRs originating from a Chrome App. Here's a related issue, see comment #11 specifically.
As mentioned in the issue, it's extremely clumsy but you could try and use a <webview> tag and make requests from within it. The cookies in it do not persist and can be manually cleared.
Upvotes: 1
Related Questions
- Chrome not clearing SESSION COOKIES on close/exit
- Chrome doesn't delete session cookies
- Chrome and Firefox not clearing JSESSIONID cookie causes a redirect loop
- Only Cookie JSESSIONID set from first Login request is not sent in subsequent requests?
- Session cookie not expiring When Chrome Browser is closed on smart phones
- Chrome not destroying native session on window close
- ASP.NET auth cookie and session ID not cleared when Chrome browser is closed
- Jsessionid cookie doesn't expire after Chrome closing
- does chrome still have issue with not deleting session cookie?
- Why Google Chrome does not delete session cookie when restart after crash?