Clear the session/cache/cookie in the JavaFX WebView

Question

I had a Swing dialog, which uses JavaFX WebView to display oAuth 2.0 URL from Google server.

public class SimpleSwingBrowser extends JDialog {

    private final JFXPanel jfxPanel = new JFXPanel();
    private WebEngine engine;

    private final JPanel panel = new JPanel(new BorderLayout());

    public SimpleSwingBrowser() {
        super(MainFrame.getInstance(), JDialog.ModalityType.APPLICATION_MODAL);
        initComponents();
    }


    private void initComponents() {
        createScene();

        panel.add(jfxPanel, BorderLayout.CENTER);

        getContentPane().add(panel);

        java.awt.Dimension screenSize = java.awt.Toolkit.getDefaultToolkit().getScreenSize();
        setBounds((screenSize.width-460)/2, (screenSize.height-680)/2, 460, 680);
    }

    private void createScene() {

        Platform.runLater(new Runnable() {
            @Override 
            public void run() {

                final WebView view = new WebView();
                engine = view.getEngine();

                engine.titleProperty().addListener(new ChangeListener<String>() {
                    @Override
                    public void changed(ObservableValue<? extends String> observable, String oldValue, final String newValue) {
                        SwingUtilities.invokeLater(new Runnable() {
                            @Override 
                            public void run() {
                                SimpleSwingBrowser.this.setTitle(newValue);
                            }
                        });
                    }
                });

                engine.getLoadWorker()
                        .exceptionProperty()
                        .addListener(new ChangeListener<Throwable>() {

                            public void changed(ObservableValue<? extends Throwable> o, Throwable old, final Throwable value) {
                                if (engine.getLoadWorker().getState() == FAILED) {
                                    SwingUtilities.invokeLater(new Runnable() {
                                        @Override public void run() {
                                            JOptionPane.showMessageDialog(
                                                    panel,
                                                    (value != null) ?
                                                    engine.getLocation() + "\n" + value.getMessage() :
                                                    engine.getLocation() + "\nUnexpected error.",
                                                    "Loading error...",
                                                    JOptionPane.ERROR_MESSAGE);
                                        }
                                    });
                                }
                            }
                        });

                // http://stackoverflow.com/questions/11206942/how-to-hide-scrollbars-in-the-javafx-webview
                // hide webview scrollbars whenever they appear.
                view.getChildrenUnmodifiable().addListener(new ListChangeListener<Node>() {
                    @Override 
                    public void onChanged(Change<? extends Node> change) {
                        Set<Node> deadSeaScrolls = view.lookupAll(".scroll-bar");
                        for (Node scroll : deadSeaScrolls) {
                            scroll.setVisible(false);
                        }
                    }
                });

                jfxPanel.setScene(new Scene(view));
            }
        });
    }

    public void loadURL(final String url) {
        Platform.runLater(new Runnable() {
            @Override 
            public void run() {
                String tmp = toURL(url);

                if (tmp == null) {
                    tmp = toURL("http://" + url);
                }

                engine.load(tmp);
            }
        });
    }

    private static String toURL(String str) {
        try {
            return new URL(str).toExternalForm();
        } catch (MalformedURLException exception) {
                return null;
        }
    }
}

Everytime, I will get the following URL from Google. I will use the SimpleSwingBrowser to load the following URL.

https://accounts.google.com/o/oauth2/auth?client_id=xxx&redirect_uri=http://localhost:55780/Callback&response_type=code&scope=email%20https://www.googleapis.com/auth/drive.appdata%20profile

During the first time, the following UI will be shown.

Screen One

Screen Two

After I

1. Perform success login at Screen One.
2. Presented with Screen Two.
3. Click on Accept.
4. Close the web browser dialog.
5. Again, generate the exact same URL as first time.
6. Create a completely new instance of SimpleSwingBrowser, to load URL generated at step

I expect Google will show me Screen One again, as this is a new browsing session. However, what I'm getting for the 2nd time, is Screen Two.

It seems that, there are some stored session/cache/cookie in the WebView, even though it is a completely new instance.

I expect I will get myself back to Screen One, so that I can support multiple user accounts.

How can I clear the session/cache/cookie in the WebView?

Answer 1

Session cookies for JavaFX WebView are stored in java.net.CookieHandler.

To manage cookies on your own create new instance of java.net.CookieManager:

java.net.CookieManager manager = new java.net.CookieManager();

Then set it as default:

java.net.CookieHandler.setDefault(manager);

To clear cookies just call removeAll method:

manager.getCookieStore().removeAll();

or just create new instance of cookie manager and set it as default:

java.net.CookieHandler.setDefault(new java.net.CookieManager());

Answer 2

I used JavaFX 8 WebView to display OAuth 2.0 from Google as well as from Dropbox. Turned out setting a new instance of java.net.CookieManager() as default worked with Google (and of course removed the session cookies), but I wasn't able to sign in with my Dropbox account anymore. The "Sing in" button just did not work.

I debugged and found out that per default an instance of com.sun.webkit.network.CookieManager is used. So, I used

java.net.CookieHandler.setDefault(new com.sun.webkit.network.CookieManager());

which solved my problem. Due to its javadoc it's RFC 6265-compliant, which is the current definition of HTTP Cookies and Set-Cookie header fields.

You need to use the JDK (not just the JRE) as your project's system library due to some access restrictions in the JRE.

Answer 3

I just wanted to post an update regarding the current state of the WebView of JavaFX 18, because we went with the suggested solution (setting the cookie manager before calling the web view) but still had issues.

The reason for this is the way the HTTP2Loader class, that is used to make request in the WebEngine, works:

// Use singleton instance of HttpClient to get the maximum benefits
@SuppressWarnings("removal")
private final static HttpClient HTTP_CLIENT =
    AccessController.doPrivileged((PrivilegedAction<HttpClient>) () -> HttpClient.newBuilder()
            .version(Version.HTTP_2)  // this is the default
            .followRedirects(Redirect.NEVER) // WebCore handles redirection
            .connectTimeout(Duration.ofSeconds(30)) // FIXME: Add a property to control the timeout
            .cookieHandler(CookieHandler.getDefault())
            .build());

Because the HTTP_CLIENT field is static and used to execute the request, only the first time a HTTP2Loader instance is created, will the current default CookieHandler be referenced. So if you just set a new CookieHandler every time before you load a page via the WebView, then this will only work once. After that the HTTP_CLIENT singleton will always use the CookieHandler that is referenced when it was created.

IMHO this is a design issue in the HTTP2Loader class. Instead of having a static field, the field should be none static. The HTTP2Loader class is effectively an immutable one time use instance anyway, so there is no need to make use of a singleton to execute a request.

I have no idea why they went with that solution, really. Even the javadoc does not make much sense, because what are the "benefits"?

So there are two solutions now:

1. Access the current cookie handler an put an empty map for the URI that you will be accessing. E.g. CookieHandler.getDefault().put(someUri, Collections.emptyMap()) Though this will be a problem if you access a side and a lot of redirects happen in the process, in which case there is no way to know about which URIs cookies to empty.
2. Create a new CookieHandler before the first time a page in any WebView is loaded and keep track of it. Then before you load a WebView again, clear the CookieStore of the handler that you kept track of.

Now that being said, the afore mentioned methods will fail if another piece of code that you do not have control over does the following:

• Noted the current default CookieHandler
• Set a new default CookieHandler
• Created a WebView and loaded page for the first time
• Set the old CookieHandler as the default again

In that case you will never be able to gain access to the CookieHandler again that is from there on out being used in the WebView.