New issue
Advanced search Search tips

Issue 844075 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 128513
Owner: ----
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: ----
Type: Bug



Sign in to add a comment

Security: Chrome is not deleting session cookie when browser set to remember session

Reported by whata...@gmail.com, May 17 2018

Issue description

VULNERABILITY DETAILS
When Chrome is configured to remember my previous session (to reopen pages I was looking when I closed the window) it is failing to respect session cookies. Session cookies never expire.

I'm betting you are going to call this not an issue but a design decision.

VERSION
Chrome Version: Version 66.0.3359.181 (Official Build) (64-bit)
Operating System: Windows 10

REPRODUCTION CASE
Open any web application that sets a session cookie
Keep tab opened and close Chrome window
Reopen Chrome and the saved tab reopens and the session cookie is reused
I then close the tab, which also closes the Chrome window
Reopen Chrome with no tabs and go to previous web application and again the session cookie is reused.
Given the session cookie has no expiration date set, which made it a session cookie, then this cookie will be around for I don't know how long.


 
Components: Internals>Network>Cookies
Labels: Needs-Feedback OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
>When Chrome is configured to remember my previous session

Do you mean Chrome is configured to "Continue where I left off" under "Startup" (on the chrome://settings/ page)?

If so, then I think this works as intended. See https://bugs.chromium.org/p/chromium/issues/detail?id=128513#c28 for more details

Comment 2 by whata...@gmail.com, May 17 2018

Yes, that's what I meant and as I expected the answer is "it is by design". I just will leave here to say that bad design is also a vulnerability. I wish you had listened to the other uses complaining in that thread you shared. 
Take care.
Project Member

Comment 3 by sheriffbot@chromium.org, May 17 2018

Cc: metzman@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Mergedinto: 128513
Status: Duplicate (was: Unconfirmed)
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Sign in to add a comment