Chrome App does not remove session cookies (JSessionId) unless all instances are closed

[Kanchan]

I see a serious design issue with how chrome apps are closed and how JSession or other http cookies are maintained.

In our current Chrome App, we are hitting a Restful site (Site B) to fetch some information after authentication. Site B returns the Http only JSESSIONID  cookie in the response.

Now there is no way that I can simple logout or reload or close=>open the Chrome App and use a different authentication to access Site B, because Chrome App sends the same JSESSIONID again which is received during previous authentication.

More worse even if I pass authentication header with wrong userid/password, that is also allowed because as per the Java Spec JSessionId is given the preference over the authentication header.

There is no way in Chrome App that I can delete this Http only JSessionID or restrict the Ajax call (XHR request) to avoid sending the JSession Id. Even if you pass a wrong JSESSIONID with the URL, that does not work because as per the Java Spec, the JSESSIONID from the cookie is given precedence over the one in the URL.

Even If I considered all the above behaviour is per the Java Specs, then at least one would expect that the session cookies are automatically deleted when the Chrome App is close or reloaded. But it seems that the session cookies are not deleted because the corresponding chrome.exe instance is still running in the background. Once you close all the chrome browser instances and/or manually kill all the chrome instances from the Task Manager and reload the app, only then it works because now the session cookies are removed.

Can someone help me find out the chrome app APIs or settings which   

    1) remove the session cookies when the Chrome app is closed and reloaded.

    2) kill the chrome.exe instance when the Chrome app is closed. 

I am not looking for any kind of manual process.

Thanks in advance.

Kanchan

Learn why you should attend BroadSoft Connections 2015

This email is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. If you are not the intended recipient and have received this email in error, please notify BroadSoft, Inc. immediately by replying to this message, and destroy all copies of this message, along with any attachment, prior to reading, distributing or copying it.

[Reilly Grant]

Why doesn't the server support a "log out" command?

IIRC, Chrome has gotten more aggressive about retaining session cookies across browser restarts in normal web contexts so this behavior seems to be intended.

An API to clear the application's cookie jar seems reasonable but feels like a workaround for server-side issues.

--
You received this message because you are subscribed to the Google Groups "Chromium Apps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-app...@chromium.org.
To post to this group, send email to chromi...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-apps/.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Kanchan]

Hi Reilly,

The server in my case serves restful APIs to serve resources but not to provide login and logout functionality

I feel server side logout functionality would be a workaround for this which we need to implement if there is no way out. 

Why can't chrome follow the standards, conventions and specs and delete the session cookies when the session ends.

This is how the all the Http client (should) behaves and this is how the cookies should be implemented.

 

What is the logic behind keeping the session cookies when the application (Chrome App) closes or reloaded and the session ends.

What is the logic behind keeping the session open when the user actually wants to terminate it

What is the logic behind the chorme.exe instance does not ends when the corresponding Chrome app closes.

These are all going against conventions and standards because of which we developer wastes our time finding out solution, ultimately coming to know that Chrome/google has changed the standardization.

regards

Kanchan

[Reilly Grant]

The concept of a session is loosely defined in a Chrome App. It may have multiple windows open and it may be running code in its background page so tieing events to when the app is "closed" can actually lead to more confusion. The recommended pattern is that the app background page should listen for window close events and decide what resources to clean up itself instead of Chrome dictating policy. This is when you could decide to send the server a logout message or use an API call to clear cookies. Such an API may already exist but I'm unfamiliar with it.