Does Cookies.removeCookie() work as a mechanism to logout?
115 views
Skip to first unread message
alan
Nov 28, 2007, 2:52:58 PM11/28/07
to Google Web Toolkit
I've implemented a login/logout mechanism that uses the session cookie
(all behind https) to secure login to a web page. This creates a
cookie with a session id. The valid session ids are all stored and
expired on the server side.
My question is this. I tried to create a "log out" feature that
would simply called "Cookies.removeCookie".
I would expect the browser to stop sending that cookie afterward, but
that is not what I see in my wireshark traces. It seems that even
after Cookies.removeCookie is called, it still get sent.
Here are my questions.
A) Has anyone else seen this?
B) Could the browser be caching it is some way?
C) Could this be a bug or is my understanding of what should happen
be wrong?
To get around this I'll likely need to implement an other RPC call to
invalidate that session in the server side.
Has anyone else run into an issue like this?
(all behind https) to secure login to a web page. This creates a
cookie with a session id. The valid session ids are all stored and
expired on the server side.
My question is this. I tried to create a "log out" feature that
would simply called "Cookies.removeCookie".
I would expect the browser to stop sending that cookie afterward, but
that is not what I see in my wireshark traces. It seems that even
after Cookies.removeCookie is called, it still get sent.
Here are my questions.
A) Has anyone else seen this?
B) Could the browser be caching it is some way?
C) Could this be a bug or is my understanding of what should happen
be wrong?
To get around this I'll likely need to implement an other RPC call to
invalidate that session in the server side.
Has anyone else run into an issue like this?
Reinier Zwitserloot
Nov 28, 2007, 6:24:21 PM11/28/07
to Google Web Toolkit
The cookie should definitely go away, so there's something wrong
either in Cookies.removeCookie, or in the browser, or in your code.
However, regardless of whether or not cookie deletion works, you are
being rather insecure if you don't send a note to the server to
invalidate the cookie. Just because the cookie has been eliminated
from the user's harddrive doesn't mean it's really gone. It could be
on a backup. someone could have sniffed it off the wire (in the case
of SSL, doubtful, but maybe you use a reverse proxy SSL solution and
someone is in the middle on your local net). It could just be someone
else that got a hold of a user's cookies.dat file. Either way, the
session ID is no longer valid even if someone magically comes up with
it again. You *NEED* to tell your own server that the given cookie is
to be deleted from the db/removed from the session store.
either in Cookies.removeCookie, or in the browser, or in your code.
However, regardless of whether or not cookie deletion works, you are
being rather insecure if you don't send a note to the server to
invalidate the cookie. Just because the cookie has been eliminated
from the user's harddrive doesn't mean it's really gone. It could be
on a backup. someone could have sniffed it off the wire (in the case
of SSL, doubtful, but maybe you use a reverse proxy SSL solution and
someone is in the middle on your local net). It could just be someone
else that got a hold of a user's cookies.dat file. Either way, the
session ID is no longer valid even if someone magically comes up with
it again. You *NEED* to tell your own server that the given cookie is
to be deleted from the db/removed from the session store.
alan
Nov 28, 2007, 7:14:50 PM11/28/07
to Google Web Toolkit
Hi Reinier,
Yes you are absolutely about needing to inform the server of the
session id logout. This quick version is just the result of schedule
pressure. I'm implementing the session id invalidation on logout
right now.
Regardless though the Cookie.removeCookie should get rid of the
cookie.
I'll double check the code, but the wireshark session did show the
cookie
going across the wire.
The set is done as:
Cookies.setCookie("example-sid",sessionID,expires,null,"/",false)
The remove is done as:
Cookies.removeCookie("example-sid");
Isn't the only thing that can go wrong, is getting the name "example-
sid" correct.
I've checked this and it is fine.
The only unusual thing done here is the Login page and the main
pages are different.
The login pages sets it, and the main page removes it when signing
out.
(Also all validations of the session are sent as part of the request
as mentioned
in the GWT security wiki page.)
Alan
Yes you are absolutely about needing to inform the server of the
session id logout. This quick version is just the result of schedule
pressure. I'm implementing the session id invalidation on logout
right now.
Regardless though the Cookie.removeCookie should get rid of the
cookie.
I'll double check the code, but the wireshark session did show the
cookie
going across the wire.
The set is done as:
Cookies.setCookie("example-sid",sessionID,expires,null,"/",false)
The remove is done as:
Cookies.removeCookie("example-sid");
Isn't the only thing that can go wrong, is getting the name "example-
sid" correct.
I've checked this and it is fine.
The only unusual thing done here is the Login page and the main
pages are different.
The login pages sets it, and the main page removes it when signing
out.
(Also all validations of the session are sent as part of the request
as mentioned
in the GWT security wiki page.)
Alan
Jamie
Nov 29, 2007, 2:20:45 PM11/29/07
to Google Web Toolkit
Perhaps the removeCookie method only works in conjunction with the
setCookie(name, value) version, and not the full setCookie(name,
value, expires, domain, path, secure) version.
As a workaround, call setCookie with the same parameters as before,
except set the 'expires' to expire immediately.
In the GWT1.4 implementation, setCookieImpl uses
encodeURIComponent(name) for the cookie name, whereas removeCookie
simply uses the passed in name. Not sure if that could be causing the
trouble or not.
setCookie(name, value) version, and not the full setCookie(name,
value, expires, domain, path, secure) version.
As a workaround, call setCookie with the same parameters as before,
except set the 'expires' to expire immediately.
In the GWT1.4 implementation, setCookieImpl uses
encodeURIComponent(name) for the cookie name, whereas removeCookie
simply uses the passed in name. Not sure if that could be causing the
trouble or not.
Reinier Zwitserloot
Nov 29, 2007, 4:43:08 PM11/29/07
to Google Web Toolkit
On Nov 29, 8:20 pm, Jamie <jamiesharbor-sou...@yahoo.com> wrote:
> Perhaps the removeCookie method only works in conjunction with the
> setCookie(name, value) version, and not the full setCookie(name,
> value, expires, domain, path, secure) version.
That's not it.
> Perhaps the removeCookie method only works in conjunction with the
> setCookie(name, value) version, and not the full setCookie(name,
> value, expires, domain, path, secure) version.
>
> As a workaround, call setCookie with the same parameters as before,
> except set the 'expires' to expire immediately.
>
> In the GWT1.4 implementation, setCookieImpl uses
> encodeURIComponent(name) for the cookie name, whereas removeCookie
> simply uses the passed in name. Not sure if that could be causing the
> trouble or not.
What happends if you don't use -? Then again, I'm tempted to say this
isn't it either, because AFAIK - doesn't get mangled.
alan
Nov 30, 2007, 6:55:33 PM11/30/07
to Google Web Toolkit
Here is some more info.
#1) The invalidate session is implemented, so the removeCookie is not
a requirement now.
#2) I was doing my testing earlier in FireFox 2.0.0.10. When I try it
with IE7 it does remove the cookie as it should.
So, FireFox 2.0.0.10 - not working.
IE7 - works fine.
So could this be either a bug in FireFox? Or maybe in the GWT
generated java-script for FireFox? Or the GWT generated java-script
which fails to get around a FireFox bug?
I've got wireshark packet traces if this needs to be filed.
On Nov 29, 1:43 pm, Reinier Zwitserloot <reini...@gmail.com> wrote:
> On Nov 29, 8:20 pm, Jamie <jamiesharbor-sou...@yahoo.com> wrote:
>
> > Perhaps theremoveCookiemethod only works in conjunction with the
#1) The invalidate session is implemented, so the removeCookie is not
a requirement now.
#2) I was doing my testing earlier in FireFox 2.0.0.10. When I try it
with IE7 it does remove the cookie as it should.
So, FireFox 2.0.0.10 - not working.
IE7 - works fine.
So could this be either a bug in FireFox? Or maybe in the GWT
generated java-script for FireFox? Or the GWT generated java-script
which fails to get around a FireFox bug?
I've got wireshark packet traces if this needs to be filed.
On Nov 29, 1:43 pm, Reinier Zwitserloot <reini...@gmail.com> wrote:
> On Nov 29, 8:20 pm, Jamie <jamiesharbor-sou...@yahoo.com> wrote:
>
romk...@googlemail.com
Dec 10, 2007, 4:23:29 AM12/10/07
to Google Web Toolkit
Hi Alan,
I've encountered a similar problem (Cookies.removeCookie doesn't work
as expected) .
The only way I got the logout + re-login to work was to overwrite the
previous sessionId.
Have you found a better way to solve this problem?
Sumit Chandel
Dec 14, 2007, 3:39:17 PM12/14/07
to Google-We...@googlegroups.com
Hi Alan,
Thanks for following up on your experience with the Cookies.removeCookie() method. Please go ahead and file an issue report for this on the Issue Tracker so that we can keep track of it and look into the problem.
Issue Tracker:
http://code.google.com/p/google-web-toolkit/issues/list
The wireshark packet traces might not be as useful as any bit of source code you could include in the issue to help reproduce the problem.
Cheers,
-Sumit Chandel
Thanks for following up on your experience with the Cookies.removeCookie() method. Please go ahead and file an issue report for this on the Issue Tracker so that we can keep track of it and look into the problem.
Issue Tracker:
http://code.google.com/p/google-web-toolkit/issues/list
The wireshark packet traces might not be as useful as any bit of source code you could include in the issue to help reproduce the problem.
Cheers,
-Sumit Chandel
Sumit Chandel
Dec 14, 2007, 3:42:45 PM12/14/07
to Google-We...@googlegroups.com
Hi romkenny,
Are you also only experiencing this issue in Firefox? If so, it's very likely that you're experiencing the same issue as Alan. Please go ahead and create an issue report for this or add to Alan's if he gets to it first.
In the meantime, I believe you'll want to use a server-side cookie invalidation mechanism as the real solution to this problem. Even though Cookies.removeCookie() should work, it isn't the solution to handling user login and logout for all the security reasons Reinier mentions above. Once you implement a server-side validation solution, the fact that Cookies.removeCookie() isn't working properly should be a non-blocking issue, however still something that we'll need to fix.
Thanks,
-Sumit Chandel
Are you also only experiencing this issue in Firefox? If so, it's very likely that you're experiencing the same issue as Alan. Please go ahead and create an issue report for this or add to Alan's if he gets to it first.
In the meantime, I believe you'll want to use a server-side cookie invalidation mechanism as the real solution to this problem. Even though Cookies.removeCookie() should work, it isn't the solution to handling user login and logout for all the security reasons Reinier mentions above. Once you implement a server-side validation solution, the fact that Cookies.removeCookie() isn't working properly should be a non-blocking issue, however still something that we'll need to fix.
Thanks,
-Sumit Chandel
Reply all
Reply to author
Forward
0 new messages