New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 768238 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Oct 23
Cc:
yus...@chromium.org
rhalavati@chromium.org
sbirch@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: ----
Type: ----



Sign in to add a comment

Custom tabs from different applications not sharing the same cookies

Reported by joemerhe...@gmail.com, Sep 24 2017 
I have developed 2 apps that use custom tabs for login. I want to achieve single sign-on where I'm relying on the identity provider (server) to detect the same session (stored in custom tabs cookies) and automatically authenticate the user.

Application Version (from "Chrome Settings > About Chrome"): Chrome 60.0.3112.116
Android Build Number (from "Android Settings > About Phone/Tablet"): 7.0
Device: Samsung Galaxy S8+

Steps to reproduce:
1. Open App#1 > click sign in > get asked for your credentials.
2. Open App#2 > click sign in.

Observed behavior: 
I'm only getting automatically signed in if I open app#2 within 15~20 min after opening app#1. When I wait longer than that, app#2 will ask for sign in credentials again. 

Expected behavior: 
App#2 should never ask for credentials and get automatically signed in using the session cookie in its custom tab.

Frequency: 
100% 

Additional comments: 
Does that mean that the custom tab cookies expire at some point?
To my understanding cookies in the chrome browser and all the custom tabs on the device remain forever (or until manually cleared), which means that every app on the same device that uses the same IdP should call the authentication request using the same session ID, thus getting recognized and automatically signed in by the server. 
Is my understanding correct? anything I'm missing?.

Thanks.

Comment 1 by ligim...@chromium.org, Sep 25 2017

Labels: Needs-triage-Mobile

Comment 2 by aska...@chromium.org, Sep 25 2017

Cc: yus...@chromium.org sbirch@chromium.org
Components: UI>Browser>Mobile>CustomTabs
Labels: -Needs-triage-Mobile
Status: Untriaged (was: Unconfirmed)
I don't have sample apps to try the exact scenario as above, but I tried going to a twitter link (opened in CCT) from Google search app and signed-in to Twitter and then went to another twitter link (opened in CCT) from Gmail app and I am auto logged-in to Twitter. So cookies are being shared.

Comment 3 by rhalavati@chromium.org, Oct 2 2017

Cc: rhalavati@chromium.org
Components: Privacy
Doesn't it cause privacy issues?

Comment 4 by sbirch@chromium.org, Oct 3 2017 

Apps don't have access to the cookies in a custom tab, but pages should
load with your profile.

Comment 5 by tedc...@chromium.org, Feb 7 2018

Labels: Needs-Feedback
A custom tab is no different than a tab in Chrome.  Its cookie retention should be the same as if you opened a tab within Chrome.  Test opening the page in chrome setting the cookie, closing the tab, and then opening a new tab with your second page.

If closing the tab causes your cookie to be clobbered in non-CCT, then it will clobber it when you close your CCT.

In general, the cookie policy should be no different.

Comment 6 by dullweber@google.com, Oct 23

Status: WontFix (was: Untriaged)
Closing the issue as there has been no response from the reporter

Sign in to add a comment