Security: Chrome is not deleting session cookie when browser set to remember session
Reported by
whata...@gmail.com,
May 17 2018
|
||||
Issue descriptionVULNERABILITY DETAILS When Chrome is configured to remember my previous session (to reopen pages I was looking when I closed the window) it is failing to respect session cookies. Session cookies never expire. I'm betting you are going to call this not an issue but a design decision. VERSION Chrome Version: Version 66.0.3359.181 (Official Build) (64-bit) Operating System: Windows 10 REPRODUCTION CASE Open any web application that sets a session cookie Keep tab opened and close Chrome window Reopen Chrome and the saved tab reopens and the session cookie is reused I then close the tab, which also closes the Chrome window Reopen Chrome with no tabs and go to previous web application and again the session cookie is reused. Given the session cookie has no expiration date set, which made it a session cookie, then this cookie will be around for I don't know how long.
,
May 17 2018
Yes, that's what I meant and as I expected the answer is "it is by design". I just will leave here to say that bad design is also a vulnerability. I wish you had listened to the other uses complaining in that thread you shared. Take care.
,
May 17 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2018
,
May 17 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by metzman@chromium.org
, May 17 2018Labels: Needs-Feedback OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows