Lifecycle of a session cookie in an Android WebView / CookieSyncManager
Asked Answered
B

1

12

I have an Android application which makes requests to my webserver via both a WebView and an HttpClient. I sync cookies between the two using a CookieSyncManager. So far, so good.

When my application starts (inside onResume()), I run a piece of logic similar to the following:

if ( appHasBeenIdleFor30Minutes() ) {
     CookieManager cookieManager = CookieManager.getInstance();
     cookieManager.removeSessionCookie();
     CookieSyncManager.getInstance().sync();
}

This correctly resets any session cookies that were set from the user's previous session. My question is: will this behavior happen periodically on its own? This question (android webview or browser not deleting session cookies on device reboot) seems to suggest that it does not. When I use the cookie-sync'd HttpClient via a Service it appears that session cookies are not cleared, thus resulting in strange server-side behavior.

I've been unable to find concrete documentation on the lifecycle of session cookies (expiration time=0) inside a WebView/CookieSyncManager - has anyone else had more luck?

Bosco answered 11/6, 2013 at 19:10 Comment(1)
Your question and answerhelped me but I would suggest to you that you expire cookies on the server side because of the security considerations. Someone could intercept the cookie value and even thou you expire it on the client same value could be used to hijack the session. Also note that you should consider ode on the user untrusted and they could change this behaviour by changing your apk or even using something like Xposed framework.Iorgos
B
21

I received a response directly from a Google engineer, who confirmed my suspicions:

You are correct, session cookies do not expire automatically in the lifecycle of a WebView. If you are seeing issues with this, you can always clear all of your cookies or overwrite your session cookies explicitly with an empty value.

The code you have suggested looks like a good workaround, just be aware that cookie synchronisation using a CookieSyncManager is not synchronous - the startSync(), stopSync() and sync() commands are executed asynchronously in a background thread.

TL;DR - session cookies do not expire when a WebView closes, you'll have to manage that yourself.

Bosco answered 25/6, 2013 at 13:45 Comment(1)
It would be nice if you can provide a link to this answer.Audubon

© 2022 - 2024 — McMap. All rights reserved.