Users do not want session cookies to be restored. We close Firefox using Task Manager and restart. We are using JSESSIONID.
JSESSIONID is a session cookie. SInce it is restored after starting the browser I am trying to use this code.
if (session.isNew()) {
String id = session.getId(); String expireDate = "Thu, 01-Jan-1970 00:00:00 GMT"; response.setHeader("Set-Cookie", String.format("JSESSIONID=%s;Expires=%s;Path=/", id, expireDate);
}
What is the recommendation of Firefox ? Users accessing internet applications from net cafes are prove to this risk. They are asking the application team to fix this. I understand there are many other risks in such public places.
All Replies (4)
When using firefox in public places, try with Firefox Private Browsing
The people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. (You'll need to be on the latest version of Firefox to submit feedback). Your feedback gets collected at http://input.mozilla.org/, where a team of people read it and gather data about the most common issues.
Firefox stores cookies used in tabs that are currently open in the sessionstore.js file as part of saved session data, so those cookies will be restored if Firefox is closed without first closing these tabs.
You can set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore.
The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.
Gewysig op
The java code I posted will not solve the problem because it will expire the cookie immediately. I was trying to somehow remove the JSESSIONID cookie.
At this time I understand I can't do this without changing the login architecture because I can't ask users to change their browser settings.
Can the users per persuaded to log out? Once they log out and you invalidate the session on the server, it doesn't matter who has the old cookie since it can't be used to authenticate any more.