28 May 2012

Chrome security bug -- not deleting session cookies

In the most recent version of Google Chrome (19.0.1084.52 m), the function of the "On Startup > Continue where I left off" setting has changed so that it does not log out of accounts when I close my browser. It appears that the Chrome browser no longer clears temporary session cookies when it closes (and according to some posts, the session cookies even remain after restarting the computer!) This is a potentially serious security issue, as I have at least three applications which open in a logged-in status when I start a fresh session of Chrome: Gmail, RememberTheMilk, and Blogger. (As I composed this post I closed my browser a couple times to test setting, and when I reopened it, Blogger was still logged into the "edit post" page for this entry.)

I changed my browser setting to "Open a page or specific set of pages" but it does the same thing: if I'm logged in to these sites when I close my browser, I'll still be logged in when I reopen Chrome again.

Until Google fixes this, I will use the solution I discovered at http://productforums.google.com/forum/#!msg/chrome/Yjw7Urs0fAs/ppNs6qQT_8IJ:

1. Go to Chrome setting then Privacy
2. Click on Content Settings
3. Under Cookies, check : Clear cookies and other site and plugin data when I close my browser.

As the author says, this will clear all your cookies. which I do mind, actually. So this is only a stop-gap solution, and I hope Google fixes this bug soon.

Update 4 Feb 2015

Well, it only took three years, but it appears that someone at Google finally helped me figure out the problem. In brief, the trick is to close Chrome using the Menu > Exit button or Ctrl+Shift+Q, rather than using the red close "X" in the top right corner of the window.

This from the Chromium forum:

#9 mattm@chromium.org
battre: I thought that delete site data on exit had been changed to take precedence over "continue where I left off" (eg  issue 128567  comments 19 and 20). Some tests I did seem to confirm that.

This sounds like it could be the issue where chrome doesn't actually exit (maybe because some chrome app / extension is still running).

curtis: could you try closing chrome using the chrome menu -> "Exit" option instead of clicking the X button? and check the windows task manager to confirm there are no chrome processes still running.

And my happy response:

#10 curtis
Matt: Closing Chrome using the Menu > Exit option did the trick. It killed all Chrome processes and I was prompted for a Gmail password when I restarted Chrome. I tested it again by clicking the red "X" and only a couple of Chrome processes were stopped -- most of them kept running. 

So it appears that THAT is what has changed: the close browser function using the X is not killing processes like it used to. But knowing that I have to use Exit menu item instead is great...once I train myself to do that (an old dog learning a new trick) all will be well. Thanks!