Lifecycle of a session cookie in an Android WebView / CookieSyncManager

gnmerritt picture gnmerritt · Jun 11, 2013 · Viewed 12.2k times · Source

I have an Android application which makes requests to my webserver via both a WebView and an HttpClient. I sync cookies between the two using a CookieSyncManager. So far, so good.

When my application starts (inside onResume()), I run a piece of logic similar to the following:

if ( appHasBeenIdleFor30Minutes() ) {
     CookieManager cookieManager = CookieManager.getInstance();
     cookieManager.removeSessionCookie();
     CookieSyncManager.getInstance().sync();
}

This correctly resets any session cookies that were set from the user's previous session. My question is: will this behavior happen periodically on its own? This question (android webview or browser not deleting session cookies on device reboot) seems to suggest that it does not. When I use the cookie-sync'd HttpClient via a Service it appears that session cookies are not cleared, thus resulting in strange server-side behavior.

I've been unable to find concrete documentation on the lifecycle of session cookies (expiration time=0) inside a WebView/CookieSyncManager - has anyone else had more luck?

Answer

gnmerritt picture gnmerritt · Jun 25, 2013

I received a response directly from a Google engineer, who confirmed my suspicions:

You are correct, session cookies do not expire automatically in the lifecycle of a WebView. If you are seeing issues with this, you can always clear all of your cookies or overwrite your session cookies explicitly with an empty value.

The code you have suggested looks like a good workaround, just be aware that cookie synchronisation using a CookieSyncManager is not synchronous - the startSync(), stopSync() and sync() commands are executed asynchronously in a background thread.

TL;DR - session cookies do not expire when a WebView closes, you'll have to manage that yourself.