Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Make Android WebView not store cookies or passwords

I use an Android WebView for Twitter OAuth: Twitter asks the user to log in and authorize the application, I retrieve the access token and persist it in my application.

I have no need (and do not) store the user password, but the WebView keeps Twitter's cookies around, and it also asks the user if he wants it to remember the password. As a result of this, even after the de-authorizes the application via his Twitter account page, and my application destroys the access tokens, the next time the WebView is opened, it is probably still logged in, and even if not, it has the password box already filled.

How can I force WebView to not ask to remember passwords, and to not persist session cookies? If that is not possible, can I delete all its stored state (except maybe the image cache)?

like image 813
Thilo Avatar asked Mar 23 '11 11:03

Thilo


People also ask

Does Android WebView store cookies?

WebViews automatically persist cookies into a android. webkit. CookieManager. Need to store cookies from a WebView into a java.

What is alternative of WebView in android?

Alternatives to WebView If you want to send users to a mobile site, build a progressive web app (PWA). If you want to display third-party web content, send an intent to installed web browsers. If you want to avoid leaving your app to open the browser, or if you want to customize the browser's UI, use Custom Tabs.

Is WebView slower than browser?

Web View is slower on both as compared to native android browser.

Is Android WebView deprecated?

This interface was deprecated in API level 12. This interface is now obsolete.


6 Answers

For not saving passwords:

WebView webview = new WebView(this);
WebSettings mWebSettings = webview.getSettings();
mWebSettings.setSavePassword(false);
mWebSettings.setSaveFormData(false);

For cookies:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

I am not very sure for the cookies implementation.

like image 20
mudit Avatar answered Oct 05 '22 06:10

mudit


You can use this to prevent cookies from being stored and clean cookies already stored:

CookieSyncManager.createInstance(this);
CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeAllCookies(callback);
cookieManager.setAcceptCookie(false);

WebView webview = new WebView(this);
WebSettings ws = webview.getSettings();
ws.setSaveFormData(false);
ws.setSavePassword(false); // Not needed for API level 18 or greater (deprecated)
like image 129
Cassio Landim Avatar answered Oct 05 '22 04:10

Cassio Landim


In one line, Try this. I think this should be called after starting the webview.

android.webkit.CookieManager.getInstance().removeAllCookie();
like image 21
Jun Avatar answered Oct 05 '22 06:10

Jun


This is the best answer I have seen in this context

    webView.clearCache(true);
    webView.clearHistory();
    WebSettings webSettings = webView.getSettings();
    webSettings.setSaveFormData(false);
    webSettings.setSavePassword(false); // Not needed for API level 18 or greater (deprecated)

    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) {
        CookieManager.getInstance().removeAllCookies(null);
        CookieManager.getInstance().flush();
    } else {
        CookieSyncManager cookieSyncMngr = CookieSyncManager.createInstance(this);
        cookieSyncMngr.startSync();
        CookieManager cookieManager = CookieManager.getInstance();
        cookieManager.removeAllCookie();
        cookieManager.removeSessionCookie();
        cookieSyncMngr.stopSync();
        cookieSyncMngr.sync();
    }
like image 33
Ayman Mahgoub Avatar answered Oct 05 '22 06:10

Ayman Mahgoub


Don't clear cookies beacause it will effect other sessions like facebook etc.. stored inside the cookie so try to follow this method

Before oauth transaction such as before the webview creation

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

After oauth transaction let accept cookie by setting

cookieManager.setAcceptCookie(true);

it will work i have tested it..

like image 28
Nivin Raj Avatar answered Oct 05 '22 04:10

Nivin Raj


I have used following solution:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.setAcceptCookie(false);

Following method does not worked for me:

CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeAllCookie();

A possible reason may be that we have not synced the cookies as following:

CookieSyncManager.createInstance(getContext()).sync();

But it may be taking time.

Forcing WebView to not ask to remember passwords will also not work.

And it is also not good for usability.

like image 33
Sachin Gupta Avatar answered Oct 05 '22 04:10

Sachin Gupta