Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 8 of 8 total
Thread Reuse authentication cookie an a second browser tab
Tue, Jan 19 2021 12:13 PMPermanent Link

Anthony

My EWB App has a login screen which prompts for the username and password which I authenticate against the web server or show a message if the combination is incorrect. On successful authentication I load the data form.

I can continue to use this until the session expires default 30 mins of no activity. However if I refresh the browser page it reloads the application before the timeout expires and I cannot find a way of reconnecting to the previously still valid session and have to log in again. The same is also true if I open another tab with the same URL.

If I use the API URL in a different browser tab to navigate to the database I can still connect and display the JSON values. I was hoping to achieve something like office.com where once logged into a browser I can continue to use any of its Apps without having to login on every tab such as outlook.office.com and tasks.office.com especially as the cookie is still valid in the browser. Is there a way this can be achieved?
Fri, Jan 22 2021 12:23 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

<< My EWB App has a login screen which prompts for the username and password which I authenticate against the web server or show a message if the combination is incorrect. On successful authentication I load the data form.

I can continue to use this until the session expires default 30 mins of no activity. However if I refresh the browser page it reloads the application before the timeout expires and I cannot find a way of reconnecting to the previously still valid session and have to log in again. The same is also true if I open another tab with the same URL.

If I use the API URL in a different browser tab to navigate to the database I can still connect and display the JSON values. I was hoping to achieve something like office.com where once logged into a browser I can continue to use any of its Apps without having to login on every tab such as outlook.office.com and tasks.office.com especially as the cookie is still valid in the browser. Is there a way this can be achieved? >>

The EWB session ID cookie is a "session" cookie and so it will live as long as the current browser session and then be discarded.  Refreshing a browser tab will cause the browser to start a new browser session, as will opening a new browser tab.

I can look into allowing the session cookies to persist across refreshes, etc. but there may be some issues with doing so.

Tim Young
Elevate Software
www.elevatesoft.com
Fri, Jan 22 2021 4:45 PMPermanent Link

Anthony

Tim Young [Elevate Software] wrote:

<<The EWB session ID cookie is a "session" cookie and so it will live as long as the current browser session and then be discarded.  Refreshing a browser tab will cause the browser to start a new browser session, as will opening a new browser tab.

I can look into allowing the session cookies to persist across refreshes, etc. but there may be some issues with doing so.>>

Tim, this is not the case if I open another tab and paste the URL of a database configured on the server I continue to get the JSON results and can browse through the various datasets.

https://localhost/databases/mydatabase/mydataset/data

Are you saying this shouldn't be happening?

Anthony
Sat, Jan 23 2021 11:25 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

<< Tim, this is not the case if I open another tab and paste the URL of a database configured on the server I continue to get the JSON results and can browse through the various datasets.

https://localhost/databases/mydatabase/mydataset/data

Are you saying this shouldn't be happening? >>

I don't know what you're seeing there.  I'm telling you what happens with the sessions when I actually watch the web server respond to requests from a browser (Edge, with Chromium engine) coming from one or more tabs.

Tim Young
Elevate Software
www.elevatesoft.com
Tue, Jan 26 2021 2:43 AMPermanent Link

Anthony

Tim Young [Elevate Software] wrote:

<<I don't know what you're seeing there.  I'm telling you what happens with the sessions when I actually watch the web server respond to requests from a browser (Edge, with Chromium engine) coming from one or more tabs.>>

That is not what i'm experiencing here, if I authenticate against the web server in one tab, then close the tab. I can open another tab and the browser continues to send the token and I can continue to browse all the datasets even if I have not requested them via the EWB App using the URLs https://localhost/databases/MyDatabase/Dataset1/data and https://localhost/databases/MyDatabase/Dataset2/data until the sessions cookie times out after 30 mins or longer as each request appears to extend the expiry time of the session cookie.

My hope was to be able to achieve the same with the EWB App as the session cookie is clearly still present in the Edge with Chromium engine browser but as I am unable to pass the ServerSession to the Database then I am unable to authenticate.
Wed, Jan 27 2021 3:22 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

<< That is not what i'm experiencing here, if I authenticate against the web server in one tab, then close the tab. I can open another tab and the browser continues to send the token and I can continue to browse all the datasets even if I have not requested them via the EWB App using the URLs https://localhost/databases/MyDatabase/Dataset1/data and https://localhost/databases/MyDatabase/Dataset2/data until the sessions cookie times out after 30 mins or longer as each request appears to extend the expiry time of the session cookie. >>

I'm not sure what I was seeing before, but now Edge is preserving the cookie across tabs when I test (both via the example applications and via URLs).  I might have been setting the protocol as "http" instead of "https", and that could have been why I was seeing the cookie refreshes in the web server.  There does seem to be an issue if the Internal web server is set up for https access via the Server Manager, but is then accessed using an http URL in the Edge browser - the browser gets caught in a race condition or something whereby it just keeps trying to re-authenticate because it isn't accepting the cookie being sent back from the web server.  Chrome and Firefox work fine, however, so I think this is a bug in Edge.

Tim Young
Elevate Software
www.elevatesoft.com
Tue, Feb 2 2021 6:00 AMPermanent Link

Anthony

Tim Young [Elevate Software] wrote:

<<I'm not sure what I was seeing before, but now Edge is preserving the cookie across tabs when I test (both via the example applications and via URLs)>>

I'm seeing this persistent (until expiry) cookie in Chrome also, my EWB App has a login page on start-up and the anonymous user is disabled so if I load my EWB App in a different tab the login page is disabled and the user has to reauthenticate. How can I use the still present cookie to reauthenticate the user automatically - similar kind of experience to opening multiple Office 355 tabs.

Thanks

Anthony
Tue, Feb 2 2021 12:13 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

<< I'm seeing this persistent (until expiry) cookie in Chrome also, my EWB App has a login page on start-up and the anonymous user is disabled so if I load my EWB App in a different tab the login page is disabled and the user has to reauthenticate. How can I use the still present cookie to reauthenticate the user automatically - similar kind of experience to opening multiple Office 355 tabs. >>

Again, EWB doesn't handle cookies in client applications, the browser does.  EWB does or does not get a cookie based upon the rules defined by the browser, so if you are not seeing the session cookie in different tabs in the browser, then EWB has no control over that.  Client EWB code can't even *see* the cookie because the EWB 3 Web Server always marks it as HTTP-only.

Tim Young
Elevate Software
www.elevatesoft.com
Image