64

I use an Android WebView for Twitter OAuth: Twitter asks the user to log in and authorize the application, I retrieve the access token and persist it in my application.

I have no need (and do not) store the user password, but the WebView keeps Twitter's cookies around, and it also asks the user if he wants it to remember the password. As a result of this, even after the de-authorizes the application via his Twitter account page, and my application destroys the access tokens, the next time the WebView is opened, it is probably still logged in, and even if not, it has the password box already filled.

How can I force WebView to not ask to remember passwords, and to not persist session cookies? If that is not possible, can I delete all its stored state (except maybe the image cache)?

Thilo
  • 257,207
  • 101
  • 511
  • 656

6 Answers6

97

You can use this to prevent cookies from being stored and clean cookies already stored:

CookieSyncManager.createInstance(this);
CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeAllCookies(callback);
cookieManager.setAcceptCookie(false);

WebView webview = new WebView(this);
WebSettings ws = webview.getSettings();
ws.setSaveFormData(false);
ws.setSavePassword(false); // Not needed for API level 18 or greater (deprecated)
Cassio Landim
  • 1,929
  • 23
  • 25
  • 2
    Worked for me when I want to log out successfully in Twitter that uses WebView. Thanks. :) – Honey H Dec 04 '12 at 02:52
  • 2
    Won't this just clear the cookies when the 3 lines are run? It doesn't prevent cookies from being stored. That would require something like `cookieManager.setAcceptCookie(false)`. That said, this answers my question of how to clear cookies, so thanks. – Eric Barr Jan 24 '14 at 00:58
  • 4
    Is the call to `CookieSyncManager.createInstance(this);` needed? – hooby3dfx May 01 '14 at 16:32
  • @hooby3dfx, accordingly to the official documentation at http://developer.android.com/reference/android/webkit/CookieManager. If CookieManager.getInstance() is used before the application instantiates a WebView instance, CookieSyncManager.createInstance(Context) must be called first. – Cassio Landim Aug 05 '14 at 18:56
  • i just used this and getting error inside webview when trying to login using gmail OOps your browser seems to have cookied disable.make sure cookies are enabled or try opening new browser window – Erum Jan 02 '15 at 11:40
  • @CassioLandim i just used this and getting error inside webview when trying to login using gmail OOps your browser seems to have cookied disable.make sure cookies are enabled or try opening new browser window – Erum Jan 02 '15 at 11:51
  • 2
    @Erum the trick for me was to just remove all cookies but not include the line `cookieManager.setAcceptCookie(false);` – Gregriggins36 Mar 26 '15 at 15:22
33

For not saving passwords:

WebView webview = new WebView(this);
WebSettings mWebSettings = webview.getSettings();
mWebSettings.setSavePassword(false);
mWebSettings.setSaveFormData(false);

For cookies:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

I am not very sure for the cookies implementation.

Michael Celey
  • 12,645
  • 6
  • 57
  • 62
mudit
  • 25,306
  • 32
  • 90
  • 132
  • 7
    Setting setSaveFormData(false) will also help. – Karan Mar 23 '11 at 15:11
  • 1
    @mudit, Not need to create a separate instance of `WebSettings`. You can also do this. `WebView webView = new WebView(this);` `webView.getSettings.setSavePassword(false);` – Kashif Umair Liaqat Jan 31 '13 at 06:02
  • 1
    Be careful with `.setSavePassword` function since it is deprecated for version 4.4 and higher : http://stackoverflow.com/a/19361928/62921 On those version it will be false by default and the popup will not promp. – ForceMagic Dec 06 '13 at 21:36
10

In one line, Try this. I think this should be called after starting the webview.

android.webkit.CookieManager.getInstance().removeAllCookie();
Jun
  • 2,339
  • 1
  • 20
  • 26
10

This is the best answer I have seen in this context

    webView.clearCache(true);
    webView.clearHistory();
    WebSettings webSettings = webView.getSettings();
    webSettings.setSaveFormData(false);
    webSettings.setSavePassword(false); // Not needed for API level 18 or greater (deprecated)

    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) {
        CookieManager.getInstance().removeAllCookies(null);
        CookieManager.getInstance().flush();
    } else {
        CookieSyncManager cookieSyncMngr = CookieSyncManager.createInstance(this);
        cookieSyncMngr.startSync();
        CookieManager cookieManager = CookieManager.getInstance();
        cookieManager.removeAllCookie();
        cookieManager.removeSessionCookie();
        cookieSyncMngr.stopSync();
        cookieSyncMngr.sync();
    }
Ayman Mahgoub
  • 4,152
  • 1
  • 30
  • 27
2

Don't clear cookies beacause it will effect other sessions like facebook etc.. stored inside the cookie so try to follow this method

Before oauth transaction such as before the webview creation 

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

After oauth transaction let accept cookie by setting 

cookieManager.setAcceptCookie(true);

it will work i have tested it..

Anand
  • 5,323
  • 5
  • 44
  • 58
Nivin Raj
  • 21
  • 1
1

I have used following solution:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

Following method does not worked for me:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeAllCookie();

A possible reason may be that we have not synced the cookies as following:

CookieSyncManager.createInstance(getContext()).sync();

But it may be taking time.

Forcing WebView to not ask to remember passwords will also not work.

And it is also not good for usability.

Michael Celey
  • 12,645
  • 6
  • 57
  • 62
Sachin Gupta
  • 444
  • 3
  • 10