0

I have build an application wherein i am saving the token received from server into sessionStorage on client side. The session expiry time is 30mnts. The application works well in given scenario:

Working correctly

  1. User opens the application.
  2. Idle for 30 minutes and then click on any links
  3. Session expiry message appears fine.
  4. User close the window and launches a new window, application laods successfully

However the below scenario doesn't work properly consider a new sessionStorage allocated to a new window (Incorrect behavior):

  1. User opens the application.
  2. Idle for 5-6 hours or maybe overnight
  3. User comes back next day and tries to click on stale session
  4. Browser hangs up and not responding
  5. User close the window and launches a new window, application displays session timeout page. User has to refresh or relaunch the page.
Seth
  • 1,215
  • 15
  • 35
Ashish Chauhan
  • 486
  • 2
  • 8
  • 22
  • By adding an empty line before you list you could make it format as a list. In addition what other technologies did you use? What token are you talking about? If the browsers hangs after such a long time it's likely that there is something else amiss. What is your actual question here? It looks like its working correctly as naturally it can only delete data if the application is running. if the data expired its probably reading the data and discarding it only on read and not actively monitoring that SessionStorage for expired content. – Seth Jan 19 '17 at 10:17
  • Yes, the application is running (in fact it has been deployed into our UAT enviorment and it in rnunning state all the time). We store the token received from the server into the browsers sessionStorage (it worked well in every scenario). But, if the user ideal on my application for more than 5-6 hours and if browser goes into hang state and then user close that browser and opens a new one, session expire message appears. This mean the token that exists on previouse opened browser, shared by the newly opened one. – Ashish Chauhan Jan 20 '17 at 05:33
  • It is like a defaullt behaviour of the IE browser when it hanged and new browser opens thereafter, it passes the sessionStorage to another one so that user can gets a chance to restore previouse session. – Ashish Chauhan Jan 20 '17 at 05:33
  • I still don't get what your actual question/problem is? My assumption would be that you want to fix that behavior. You would do that by avoiding the crash of the browser and/or actively enforcing the removal of that information. This could e.g be done by reloading the page after x minutes. But won't fix it if the browser crashes before that point. – Seth Jan 20 '17 at 06:37
  • i just want to undertand,: 1. if i open my application in IE and store something into sessionStorage and if the IE window hang after sometime. 2. Then i close it and reopen it in new window, will that available in new window or not? – Ashish Chauhan Jan 20 '17 at 09:20
  • But your own description already shows you whenever it is or is not? If you look at [MDN Window.sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) description it appears it's actually working as intended as you could consider it a restore. In addition don't forget that the `sessionStorage` and session of a user are different things. A crashed software isn't going to be able to do much to clean up or similar. – Seth Jan 20 '17 at 09:26
  • And if i want to clear the sessionStorage when browser window crashed, How would i achieve it? – Ashish Chauhan Jan 23 '17 at 08:14

2 Answers2

0

Your conception about how sessionStorage works is probably wrong. From your question:

However the below scenario doesn't work properly consider a new sessionStorage allocated to a new window (Incorrect behavior):

This could be considered wrong behavior depending on how a browser actually implements it. From the above MDN entry:

... data stored in sessionStorage gets cleared when the page session ends. A page session lasts for as long as the browser is open and survives over page reloads and restores. Opening a page in a new tab or window will cause a new session to be initiated, which differs from how session cookies work.

There is no mechanism to have an expiery after an amount of time for that kind of cache. As such my assumption is that you're already using a mechanism to actively keep track of that time (e.g. Expiry of sessionStorage).

You said the browser is some version of internet explorer but you didn't detail the configuration or user interaction. So my assumption is that the user restores the crashed session rather than open the page anew. The Microsoft documentatoin says that at least for IE 8 the cache should be discarded but it could be different for other versions. So you would have to inquire Microsoft and possibly open a bug with them. On the other hand with the MDN documentation and the official specificitons the behavior is perfectly valid:

The lifetime of a browsing context can be unrelated to the lifetime of the actual user agent process itself, as the user agent may support resuming sessions after a restart.

If you look for other questions regarding sessionStorage and how it actually works you could get a better understanding of it. A good question with great answer seems to be the following: What is the difference between localStorage, sessionStorage, session and cookies?

Now for you question on how to handle it in a crashed browser: You can only handle it if the browser doesn't crash. Alternatively you could probably change your expiry mechanism to ignore sessions that are older than X but that would open you up different kinds of attacks so without getting into more detail what you actually do in your application, what that token consists of and what its role is there isn't much help that can be provided. If you are in control of the machine with the browser you could try to automate what's being detailed under "Security and Privacy » Clearing the Storage Area":

Clearing the Storage Areas

Session state is released as soon as the last window to reference that data is closed. However, users can clear storage areas at any time by selecting Delete Browsing History from the Tools menu in Internet Explorer, selecting the Cookies check box, and clicking OK. This clears session and local storage areas for all domains that are not in the Favorites folder and resets the storage quotas in the registry. Clear the Preserve Favorite Site Data check box to delete all storage areas, regardless of source.

To delete key/value pairs from a storage list, iterate over the collection with removeItem or use clear to remove all items at once. Keep in mind that changes to a local storage area are saved to disk asynchronously.

Community
  • 1
  • 1
Seth
  • 1,215
  • 15
  • 35
0

The concern that i had was when browser crashed the sessionStorage still remains. So I was looking into the fix that can clear out sessionStorage which i have achieved with below snippet:

window.addEventListener('load', function () {
      sessionStorage.setItem('good_exit', 'pending');
      setInterval(function () {
         sessionStorage.setItem('time_before_crash', new Date().toString());
      }, 1000);
   });

   window.addEventListener('beforeunload', function () {
      sessionStorage.setItem('good_exit', 'true');
   });

   if(sessionStorage.getItem('good_exit') &&
      sessionStorage.getItem('good_exit') !== 'true') {
      /*
         insert crash logging code here
     */
      alert('Hey, welcome back from your crash, looks like you crashed on: ' + sessionStorage.getItem('time_before_crash'));
   }

Fo detail, please refer below link: http://jasonjl.me/blog/2015/06/21/taking-action-on-browser-crashes/

Ashish Chauhan
  • 486
  • 2
  • 8
  • 22