28 May 2012

Chrome security bug -- not deleting session cookies

In the most recent version of Google Chrome (19.0.1084.52 m), the function of the "On Startup > Continue where I left off" setting has changed so that it does not log out of accounts when I close my browser. It appears that the Chrome browser no longer clears temporary session cookies when it closes (and according to some posts, the session cookies even remain after restarting the computer!) This is a potentially serious security issue, as I have at least three applications which open in a logged-in status when I start a fresh session of Chrome: Gmail, RememberTheMilk, and Blogger. (As I composed this post I closed my browser a couple times to test setting, and when I reopened it, Blogger was still logged into the "edit post" page for this entry.)

I changed my browser setting to "Open a page or specific set of pages" but it does the same thing: if I'm logged in to these sites when I close my browser, I'll still be logged in when I reopen Chrome again.

Until Google fixes this, I will use the solution I discovered at http://productforums.google.com/forum/#!msg/chrome/Yjw7Urs0fAs/ppNs6qQT_8IJ:

1. Go to Chrome setting then Privacy
2. Click on Content Settings
3. Under Cookies, check : Clear cookies and other site and plugin data when I close my browser.

As the author says, this will clear all your cookies. which I do mind, actually. So this is only a stop-gap solution, and I hope Google fixes this bug soon.

Update 4 Feb 2015

Well, it only took three years, but it appears that someone at Google finally helped me figure out the problem. In brief, the trick is to close Chrome using the Menu > Exit button or Ctrl+Shift+Q, rather than using the red close "X" in the top right corner of the window.

This from the Chromium forum:

#9 mattm@chromium.org
battre: I thought that delete site data on exit had been changed to take precedence over "continue where I left off" (eg  issue 128567  comments 19 and 20). Some tests I did seem to confirm that.

This sounds like it could be the issue where chrome doesn't actually exit (maybe because some chrome app / extension is still running).

curtis: could you try closing chrome using the chrome menu -> "Exit" option instead of clicking the X button? and check the windows task manager to confirm there are no chrome processes still running.

And my happy response:

#10 curtis
Matt: Closing Chrome using the Menu > Exit option did the trick. It killed all Chrome processes and I was prompted for a Gmail password when I restarted Chrome. I tested it again by clicking the red "X" and only a couple of Chrome processes were stopped -- most of them kept running. 

So it appears that THAT is what has changed: the close browser function using the X is not killing processes like it used to. But knowing that I have to use Exit menu item instead is great...once I train myself to do that (an old dog learning a new trick) all will be well. Thanks!



ace said...

any word on this? it's annoying as hell.

Curtis said...

Hi, Ace. The problem seems to come and go. For months things worked as they should. And then last week Chrome started acting up again and I'd open my browser hours after closing it only to find it still logged into my Gmail account.

ace said...

poo. i was hoping you'd say - yes, it's all working great now! :) oh, well.

Unknown said...

From a web developer viewpoint this is *very* fucked.

It's a violation of RFC2109 section 3 that reads:
1. Each session has a beginning and an end.
2. Each session is relatively short-lived.

'Continue where I left off' effectively renders session cookies useless, as they might be open-ended. Therefore I have to continuously re-set cookies within a session and define an inactivity expiration timeout for that 'session'.

This is what all web applications should now do. You can argue that for real security, this is what they always should have done. You should never trust a remote piece of software and always treat it as hostile.

This changed browser behaviour might be fine for online shopping carts and such but is not okay for login cookies.

Also I've always understood session cookies as 'not stored on disk'. In fact it now seems they are stored, but removed on exit. (when 'Continue where I left off' is disabled) Sessions on SSL-enabled sites are never sent in the clear, but can now be hijacked by someone with access to your harddisk, where they are stored as plain text data.

Unknown said...

And Android Web browsers are just as insecure as Chrome. These browsers also do not delete cookies, because a session is never terminated, even if the tablet PC is restarted.

Curtis said...

This bug has reared it's ugly head again in the past week. I just filed a Chromium Project bug report for it: https://code.google.com/p/chromium/issues/detail?id=403312

Curtis said...

In case you didn't receive a notice of my 4 Feb 2015 update, the trick is to close Chrome using the Menu > Exit button or Ctrl+Shift+Q, rather than using the red close "X" in the top right corner of the window.