Description of the issue: Browser session will still persist even if you close your browser and reopen it. This shouldn’t happen for security reasons.
Steps to Reproduce (add as many as necessary): 1. 2. 3.
- Have a cookie that should be deleted when browser session ends (When you close the browser)
- Close your Brave Browser
- Open Brave Browser again and your cookie will still exist.
Actual Result (gifs and screenshots are welcome!):
You will still be logged into account even if you close your browser. This can be a security problem if you close your browser and you will think that this would auto log you out, but in Brave browser this won’t happen.
For a cookie with expiration date of “When browser session ends”, to be deleted when you close your browser.
Reproduces how often:
Operating System and Brave Version(See the
About Brave page in the main menu):
Fedora 36 (Linux) rpm from your official repository
But I have also tried on Windows with newly installed Brave Browser.
Browser session ends in every browser (FireFox, Chromium, Edge) when you close it, except in Brave.
It ends, there is no known bug for the recent release.
The problem seems to be from your end.
I have changed it to “Allow all cookies” and the problem is still there.
This are some settings form my php.ini
session.save_handler = files
session.use_strict_mode = 1
session.use_cookies = 1
session.use_only_cookies = 1
session.name = SSID
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
It should auto log me off when you close and reopen the browser, but this doesn’t happen with Brave, but it does with all other browsers.
I have also tried on newlly installed Brave Browser on Windows (Without any changes) and it is still keeping me logged in.
For security I would want for a Brave browser to delete this cookie so session id would be deleted as soon as your close your browser.
Are you clearing cookies by way of
History --> Clear browsing data --> [On exit]?
By default Browser session should end when you close your browser like it does on every other browser.
It’s even written in the PHP documentation (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime)
Brave doesn’t seems to end browser session when you close the browser.
It does, unless you have any extensions installed that run in the background. What I’m asking is how you are setting the cookies in question to be cleared when the browser is closed.
If enabled, try disabling Continue running background apps when Brave is closed
I’m just using PHP sessions. So PHP will auto generate this cookie and put session ID/key inside. By default and also recommended by PHP, session.cookie_lifetime is set to 0, that means cookie will last as long as the browser session will also last.
If I set cookie lifetime to 20 minutes for example. Even if user will close the browser it will still be logged in when it comes back (If it comes back before 20 minutes has expired).
I would rather prefer to be deleted when someone close the browser, but in brave I have even turned off the computer and turned it back on next day and I was still logged in. So Browser session wasn’t deleted even after rebooting the computer.
Another option would be to leave session.cookie_lifetime to 0 as it is now. But that means for some users like me Browser session could never expire.
It would be great if it would be possible to mix those 2. For example cookie should expire as soon as browser session ended or certain amount of time has expired.
; Whether or not to add the httpOnly flag to the cookie, which makes it
session.cookie_httponly = 1
I have a PWA installed, so this is probably the reason when browser session doesn’t end.
Do you guys have any suggestion what would be the best thing to do in terms of security?
Every time the user logs in, does just reset the time back to 20mins? Can you compare Chrome and Brave handling here?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.