Issue 128513 in chromium: Session Cookies not cleared when Chrome processes closed

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined OS-Windows

New issue 128513 by ben.harc...@gmail.com: Session Cookies not cleared when
Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Chrome Version : 19.0.1084.46
OS Version : 6.1 (Windows 7 SP1)
URLs (if applicable) : Any
Other browsers tested : None

What steps will reproduce the problem?
1. Select a test website (eg. facebook)
2. Set cookie mode to 'Session' for that website (see attachment)
3. Perform an operation to set a cookie (eg. log in)
4. Close the browser without logging out (no processes remained in Windows
Task Manager)
5. Restart the browser, and navigate to the website

What is the expected result?

When navigating to the website after a restart, the cookie should not
be present (ie. you should not be logged in).

What happens instead?

The cookie is present, and I remain logged in.
This behaviour has appeared within the last 48 hours (ie, coinciding with
the time of release of Chrome 19).

Tested (accidentally) with facebook and google reader.

I do not have any issues with incognito windows - all data is closed when
the last incognito tab is closed (so, probably not a side affect of #47087)

Note: these are Session's in the browser, rather than a session between the
browser and a remote host. This may be a duplicate or related to #30483.

UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5
(KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5

Task Manager: Browser / Tabs / TinEye Reverse Image Search / GPU Process.
Extensions: TinEye Reverse Image Search / GooglePlusPlus (custom applied
skins for Google services - should not be invoked for facebook)

Attachment notes:
session-cookies: the previous page has:
"Block sites from setting any data" and "Block third-party cookies and site
data".

"Clear cookies and other site and plug-in data when I close my browser" is
not selected because this always deletes the non-Session cookies, somewhat
defeating the point of the Allow/Session/Block options.


Attachments:
cookie-settings.png 12.2 KB

[chro...@googlecode.com]

Updates:
Labels: -Area-Undefined Area-Internals Internals-Network-Cookies
Feature-Privacy

Comment #1 on issue 128513 by will...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Cc: ma...@chromium.org

Comment #2 on issue 128513 by bat...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Could you please check on chrome://chrome/settings/ whether "Continue where
I left off" is activated? It is interpreted in such a way that sessions
continue beyond browser restarts in order to provide a seamless restart.

[chro...@googlecode.com]

Comment #3 on issue 128513 by ben.harc...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

It is indeed on that setting, which would explain the behaviour.


If memory serves, this button was previously just 'Re-open Tabs'; I take it
that this option is no longer direct available.

[chro...@googlecode.com]

Comment #5 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I agree with endar. The session only cookies should be deleted. If the end
user wanted to remain logged into say Gmail they can use the option for
this on the Gmail login page.

[chro...@googlecode.com]

Comment #6 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Believe this and 128567 are the same issue.

I spent part of 3 days wading through Chrome newsgroup posts where the
canned reply was to use the logout function in Gmail rather than closing
the browser! If Chrome behaved properly and deleted session cookies on
shutdown people would not have this problem. If people want to remain
logged in then use Gmail Stay Signed In or similar option on other websites.

[chro...@googlecode.com]

Comment #7 on issue 128513 by jesper.h...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I agree with keyboar...@gmail.com on this.

I find this to be a serious security issue. Only by chance did I discover
that suddenly my session cookies were no longer deleted when I exited the
browser, so that I was still logged in to essential web sites after having
completely exited the browser and started it again later, even after a
restart of the computer. This is really bad.

If there is a need for a seamless restart option (which would be nice
sometimes when Chrome behaves erradically), then make a dedicated "Restart"
function that does that and optionally keeps the session cookies during the
restart if the user says yes to that.

But when I close my browser under normal circumstances I want all session
cookies to be deleted so that I am safely logged out of all essential
websites.

[chro...@googlecode.com]

Comment #8 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Apparently this is a feature and will emain in Chrome so when using this
option any one with access to your computer can relaunch your Chrome
browser and get access to sites which you did not explicitly log out of

http://code.google.com/p/chromium/issues/detail?id=130291

I removed Chrome from all of my machines. Google did a complete 180 degree
flipflop on how this option behaves. When they did this changed Google did
not even bother mentioning the change in behavoir in the option which now
will keep you logged into secure sites such as Gmail etc.

[chro...@googlecode.com]

Comment #9 on issue 128513 by rajithwi...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Google.. pls take necessary actions for correct this bug

[chro...@googlecode.com]

Comment #10 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

rajuthwi..@gmail.com It seems that according to Google its not a bug its a
feature and I doubt that they will be changing this setting back.

[chro...@googlecode.com]

Comment #11 on issue 128513 by t...@tpoirier.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I agree that this "feature" was not right to implement without giving more
options so that it could have continued to work as it did before (Re-open
Tabs). All we want is choice to configure the way we work. The option
should have been easy to add, right? Like a check box that says, "Kill
sessions on close" or something of the sort...

[chro...@googlecode.com]

Comment #12 on issue 128513 by Tzewang....@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Hi,

I have the same problem. "On start-up" set to "Open the New Tab page". I
close the browser, re-open and all my session variables from the previous
session are still available to my php scripts. This has broken my site in
Chromium currently - since I rely on the fact that closing the browser
destroys the session. Since users rarely explicitly logout of a site, I
tend to use the session being destroyed as a way to indicate they have
ended their session.

This seems reasonable to me. The cookie called PHPSESSID, when I inspect it
in Chromium, has:

Created: Thursday, 14 June 2012 15:47:24
Expires: When I close my browser

But it does not expire. I re-open the browser and the same cookie is
sitting there with the same created time stamp.

Whether or not Google see this as a desired behaviour with "Continue where
I left off" set, I have not chosen this setting, so this seems to be a bug
to me.

I am running Chromium 19.0.1084.56 under Unbuntu 10.04.

Please help! Can other people confirm this behaviour? Restarting my machine
does cause the cookie to expire. I have un-installed all extensions.

[chro...@googlecode.com]

Comment #13 on issue 128513 by Tzewang....@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Okay, the issue seems to be processes not ending when I shut the browser.
Here is what I still have running after I shut the browser:

ps -A | grep chrome
4318 ? 00:00:04 chrome
4322 ? 00:00:00 chrome
4324 ? 00:00:00 chrome-sandbox
4325 ? 00:00:00 chrome
4374 ? 00:00:01 chrome

If I kill the processes, the session cookie expires properly. Should I move
this to a new bug somewhere else?

[chro...@googlecode.com]

Comment #14 on issue 128513 by g...@globalnet.co.uk: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

This -- this is a serious problem. Php session cookies, marked as "expire
when i close my browser" never expire if the "Continue where I left off" is
used.

Cookies *must* expire when they are set to expire -- this does not
prevent "Continue where I left off" from working, but it does prevent
serious security issues.

Problem exists in 21.0.1171.0 dev -- probably is all versions...

[chro...@googlecode.com]

Comment #15 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Canary build of Chrome now has a link to the following page for this setting
http://support.google.com/chrome/bin/answer.py?hl=en&answer=95421

Seems Google will not be changing this behavoir of this setting wrt session
cookies but at least now users are warned IF they click on the link beside
the option.

[chro...@googlecode.com]

Comment #16 on issue 128513 by jesper.h...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Well, there is no reason to just give up. Google made a clear mistake and
we need to tell them that. They have ruined a nice function "continue where
I left off", i.e. with the windows and tabs that where open, with this new
buggy behavior that doesn't remove session cookies when the session ends.
They probably weren't thinking about what they where doing. Anybody can
make a mistake, we just need to make Google aware of their mistake.

They could easily make a specific option to keep session cookies across
sessions, even though it does violate some standard about session cookies
(which is also the case with the current behavior). And of course that
option should be off by default, because it violates the standard. People
who don't want session cookies to expire at all (I wonder who that would
be) could then turn that option on.

[chro...@googlecode.com]

Comment #17 on issue 128513 by t...@tpoirier.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I agree with jesper. Just because it seems like Google won't be changing it
does not mean it's right. This setting went from fabulous to ridiculously
broken in one version of chrome. They should not have touched this setting
because it was already working as it should. The best thing they could have
done was "enhance" the option (like jesper said) by adding a check box that
you check to keep sessions alive (even though I disagree with this also).

Why take a step backward in security, especially since Chrome could be (and
I'm sure is being) used in public such as libraries and coffee shops. So
now someone unknowingly shuts down the browser thinking, "oh yeah, my
sessions will close" and the next person hacks their account. I agree this
is lazy thinking when it comes to sessions on a public terminal, but not
everybody thinks or cares about technology and security like we do. We have
to help it evolve in the right direction.

The point is: it is not right, it is a bug, fix it!

[chro...@googlecode.com]

Comment #18 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I agree as well with jesper but I got so frustrated with this apparent
disregard for people's security and privacy that I ditched Chrome off all
my machines and have gone back to Firefox. I got to wondering what else did
Google change in Chrome that I am unaware of behind the scenes that was
lessening security in favor of convience.

I also make sure that I tell friends etc so they do not have to go through
wondering what the heck is going on. I spent hours trying to figure out why
Chrome all of sudden was having this "problem" of logging me out.

I do not have an Android phone but does the same thing happen with the
current version of Chrome there?

[chro...@googlecode.com]

Comment #19 on issue 128513 by t...@tpoirier.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Just figured out through issue 130291 that "Disable Better session restore"
(under chrome://flags) does return the desired behavior! Why this is buried
under experimental features is beyond me as it could have just as easily
been a check box in the main settings so that less-advanced users can
choose this option without having to dig so deep. Again, I can't stress
enough, this should be how the browser works by default, and maybe "Enable
Better session restore" should be an experiment. They have it backwards.

[chro...@googlecode.com]

Comment #20 on issue 128513 by nadeem.h...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Fantastic! Thank you.

Nadeem Hosenbokus
(230)�766 9169
www.nadeemh.com

[chro...@googlecode.com]

Comment #21 on issue 128513 by eswi...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Thanks for the pointer to "Better session restore"!

Searching for this phrase reveals a discussion on the Chromium-dev group
that explains the rationale for the new behavior. The main problem they
were trying to solve is that restarting the browser to apply a new update
is too disruptive if things like session cookies are cleared.
https://groups.google.com/a/chromium.org/d/topic/chromium-dev/uV5HfzctntM/discussion

I actually agree with this argument, but I think the discussion overlooked
a completely different case, in which clearing session cookies is not an
unwanted side-effect of closing the browser, but rather the *purpose* of
closing the browser.

It's easy to distinguish the two cases:

1. If the user clicks a button or menu item that says something
like "restart to finish updating Chrome", then the "better" session restore
makes a lot of sense, especially if underneath the button is a note
reminding the user that sessions will not be logged out.

2. If the user closes all the browser windows, then the "better" session
restore causes all manner of confusion because this is how users are taught
to log out of all their sessions.

So I think the solution is for Chrome to confine the "better" behavior to
the special restart-to-update case where the goal is to hide the fact that
the browser is restarting.

[chro...@googlecode.com]

Comment #22 on issue 128513 by t...@tpoirier.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Good points and I completely agree!

[chro...@googlecode.com]

Updates:
Cc: bau...@chromium.org

Comment #23 on issue 128513 by bau...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

[chro...@googlecode.com]

Comment #24 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

t... I had found that option when I first had this problem. However if one
disables that and Chrome is updated and has to restart then the
session-only cookies are lost. Its a work around to this change but what if
Google removes that option entirely after all it is experimental and can
disappear.

[chro...@googlecode.com]

Comment #25 on issue 128513 by t...@tpoirier.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

It's still worth it to me so that I can have Chrome functioning as it did
prior to version 19. It is not worth thinking about what if
that "experiment" disappears, because the answer is that I won't be
completely satisfied with my Chrome browsing experience. Also, as many
people have mentioned between this thread and issue 130291, it is more
similar to a bug than a new feature or advancement.

I feel it is a step backwards if keeping session cookies alive is on by
default. People should be assured that when they close the browser their
sessions are closed, unless they wish to keep sessions open. You should
have to opt-in to keeping sessions alive past browser close.

I think @eswi... summed up the solution pretty well a few message
back: "... confine the 'better' behavior to the special restart-to-update

[chro...@googlecode.com]

Comment #26 on issue 128513 by curtis.c...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

@eswi: Those are sound recommendations and a couple hours ago they were
brought before the Chromium-dev group you linked to (first on the list
below). Let's hope they're listening...

For the record, the following threads address the same issue:

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/uV5HfzctntM/discussion
[design
doc] Better session restore
http://code.google.com/p/chromium/issues/detail?id=128567 - Session only
cookies don't delete
http://code.google.com/p/chromium/issues/detail?id=130291 - "continue where
I left off" setting breaks session cookies per RFC 6265
http://productforums.google.com/forum/#!topic/chrome/Yjw7Urs0fAs - Chrome
does not sign me out but Firefox does when browser is closed

[chro...@googlecode.com]

Comment #27 on issue 128513 by keyboar...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

@t I totally agree regarding the opt-in option for maintaining session only
cookies for the "Continue Where I Left Off". This would mean that its
default setting would erred on the side of privacy and security which is
what part of Google's mission statement is.

@eswi remarks are correct. The end user should specifically indicate to the
web site(s) in question to keep themselves logged in during the initial
login. Otherwise having that option in Gmail when using the "Continue Where
I Left Off" is a bit misleading.

[chro...@googlecode.com]

Comment #31 on issue 128513 by pkas...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Also, there are some changes afoot w.r.t. allowing you to define exactly
which origins get kept and cleared across exits (as jochen@ mentions on bug
130291 comment 4) but I don't know the precise details there so I won't try
to define them.

[chro...@googlecode.com]

Comment #33 on issue 128513 by curtis.c...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

eswi has stated the problem with perfect, succinct clarity.

And "Clear all cookies" when the browser is closed is NOT a solution,
because that is not what I (and I daresay most users) want to happen when
the browser is closed. All we want is our session to close, as intuition
dictates. We still want to have the benefits of functional cookies on sites
we visit frequently.

@pkasting:
> sensitive sites with logins -- e.g. banks -- not only provide
> prominent "log out"
> mechanisms that can be triggered when you're done using them, but
> generally also
> auto-logout on a time-based basis

I continually use three sites that contain sensitive information and I
leave them up at all times when I'm at my desk:

- Gmail -- used for personal and sensitive business email
- RememberTheMilk -- used for personal and company task lists
- Evernote -- used for all kinds of work and personal stuff, much of it
sensitive

These sites do not offer log-out mechanisms, nor do they have time-based
auto-logout (thank goodness, or I'd be logging into them all day long).
They rely on the well-established protocol that closing a browser closes
the session.

[chro...@googlecode.com]

Comment #34 on issue 128513 by pkas...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Actually Gmail does have a logout facility (and an easily accessible one).
I don't use the other two personally.

I really think the ideal in-browser solution to this is password protection
for profiles, but that's a separate bug.

As I already noted, I understand your use case and we've already considered
it and decided it doesn't justify reversing this decision. One obvious
change you can make: Change your startup setting from "continue where I
left off" to "open a specific set of pages" and put your working set
there. This way, when you're truly done with your session, close your
browser, and on restart you'll get a brand new session, pre-populated with
the sites you normally start a session with, with no saved logins.

I have been informed that it is, in fact, possible to write an extension to
provide the old behavior. I don't have a link to one though.

[chro...@googlecode.com]

Comment #37 on issue 128513 by eswi...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Over in Firefox land, the Session Restore feature now also saves session
cookies. Not everyone is 110% in love with that decision, either:
https://bugzilla.mozilla.org/buglist.cgi?bug_id=337551,345830,358042,362212,369289,375182,376605,377233,381940,395749,398827,399748,417711,431547,437911,441544,576845

Regardless of the merits, on this point Chrome can at least claim to be no
worse than Firefox...

[chro...@googlecode.com]

Comment #38 on issue 128513 by eswi...@gmail.com: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

@Voldr: Issue 133911 (Remove better session restore from about:flags) was
opened just a few hours ago. Not a good sign.

[chro...@googlecode.com]

Updates:
Labels: -OS-Windows OS-All Restrict-AddIssueComment-Commit

Comment #39 on issue 128513 by pkas...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

I'm trying to get the folks who prototyped the extension I mentioned in
comment 28 to either post the extension or upload some source code as a
reference for anyone else who wants to do that. Otherwise I don't think
there's much further productive discussion to be had here.

I admit that I don't particularly enjoy spending a while trying to write
some detailed feedback and rationale and be told that I "cavalierly
disregard" our users, whom I fight for on an ongoing basis. I accept that
you don't like or agree with the route we (or Firefox) are going here.
Please accept that we do consider our users and don't make changes in a
vacuum. If you still want to grouse after that, consider the
chromium-discuss mailing list or the help forums, both of which are
intended more for end-user use, unlike the bug tracker, which is where the
engineering team is trying to make clear decisions, schedule work, and get
on with things.

[chro...@googlecode.com]

Comment #40 on issue 128513 by bat...@chromium.org: Session Cookies not

cleared when Chrome processes closed
http://code.google.com/p/chromium/issues/detail?id=128513

Here is the mentioned prototype for an extension that clears session
cookies on browser start-up time.

Attachments:
background.js 791 bytes
manifest.json 293 bytes