Hi,
I uploaded an app into Shiny apps io. The user imports csv data, the app reads in the data, and performs graphics and statistical measures. The app does not have code that will delete all objects after the browser is closed or after the user enters another website within the same browser session. I need to ensure that no data is left in the Shiny server after the browser is closed or after the user enters another website within the same browser session. With this, I have the following questions.
Q1: app ran locally
- I noticed that no objects are shown in the Global Environment when the app is ran locally, so if the Global Environment is empty, where are the objects stored?
Q2: app ran in shinyapps.io
2) After an object is created when reading the data as read.csv(imported_data), is the data object automatically deleted when the browser is closed? If not, where does the data object go to?
Q3: app ran in shinyapps.io
3) Do I need to add code to delete these data objects? I see at least two options here:
3.1) Use rm(data_object) to remove the objects but not make this reactive until the user completes the work flow
3.2) Add UI message to the user to click a button to remove all objects before existing the app. To prevent the UI forgetting to remove objects:
3.2.1) When the user attempts closing the browser, a message will be displayed to remind him/her to click the data remove button
3.2.2) When the user attempts to moving forward into another website within the same browser session, a message will be displayed to remind him/her to click the data remove button (I do not know if this is possible).
Is there any “easy” way to handle sensitive imported data?
I appreciate your help.
Thank you,
Rodrigo
I am not 100% sure about shinyapps.io, as I have never used that platform before. However, I imagine it is similar for this question. When you run a shiny app locally, it is run using your current R session but it creates its own local environment. Similar to a function (since your server code is actually a function), nothing that is done from within the app is saved to the global environment unless explicitly told to do so. So every time you close the app and stop it running in your R session, everything you did within the app is automatically deleted with it.
Again, I have never used shinyapp.io, but I would imagine it is the same for that.
Dear Tyler,
Thank you very much for your insight. Intuitively speaking, I would imagine too that shinyapps.io works the same way however I would wait for others from the community, or from R Studio, to respond in case they have the answer. If all objects are automatically deleted then that would be great 
.
in my understanding the following should be applied:
Q1:
i would suggest (if not already) reading scoping rules and environments (env) in R. In a nutshell:
server.R:
#at this point env is created as a child to global env, let's call it server env
this <<- 3
this = 3.1
shinyServer(function(input, output) {
# at this point env is created as a grand child to global env, let's call it serverFunction env
this = 3.14
output$example = renderText({
#env for renderText function created as a child to serverFunction env
this = 3.141
return(this) # will return 3.141
return(get(x='this', envir = environment()) # returns 3.141 same as previous
return(get(x='this', envir = parent.env(environment())) # returns 3.14 as parent is serverFunction env
return(get(x='this', envir = parent.env(parent.env(environment()))) # returns 3.1 as grandparent is server env
return(get(x='this', envir = parent.env(parent.env(environment()))) # returns 3 as <<- operator assigned to global
}) # at this point renderText env is deleted
}) # at this point serverFunction env is deleted (i think 5 seconds after user disconnects)
# in here i am no longer sure, when the server env gets deleted, but i would assume same as serverFunction
# global again not sure, most likely when rsession.exe terminates
# this suggests that if multiple users are connected and assigned the same rsession.exe then global will exist until 5 secs after last user disconnects
Q2
i wouldn't think that shinyapps are using their own shiny-server where they changed the way shiny and R creates and terminates environments therefore it's fair to assume Q1 applies here.
Q3
3) no unless you create objects in global_env that can be potentially accessed cross session
3.1) object gets deleted from memory when calling function terminates so not necessary, use rm();gc() to control memory usage in memory heavy functions (e.g. when large objects (subjective) gets deleted during the function but function continues to run and process further data). "user completes the work flow" is usually when function ends and variables are deleted
3.2 and 3.2.1) not recommended and maybe not even needed based on above answers, i am not sure how could you prevent session from being terminated when user initiated termination by clicking X button, if javascript can prevent browser from closing after alert window is closed? also to ensure user actually does something even if they are alerted. i would recommend reading about session$onSessionEnded for any post session processing
3.2.2) Doable, you can create observers on which part of website is user at, e.g. which tab is active, if current tab value changes to FALSE then you delete given objects from memory in case they have been created in env which hasnt terminated yet.
to handle sensitive data?
use HTTPS and ensure strict HTTPS header to ensure encrypted communication and X-Frame-Options header to prevent clickjacking. Ideally use (if company) server accessible from within company VPN only. I have no experience with shinyapps io, i have used amazon aws before to create instance and launched shiny there, i would always recommend this option although you have to configure server yourself.
Kind regards,
Peter