Browser session doesn't end when you close the browser

rabbitcompany · July 8, 2022, 5:18pm

Description of the issue: Browser session will still persist even if you close your browser and reopen it. This shouldn’t happen for security reasons.

Steps to Reproduce (add as many as necessary): 1. 2. 3.

Have a cookie that should be deleted when browser session ends (When you close the browser)
Close your Brave Browser
Open Brave Browser again and your cookie will still exist.

Actual Result (gifs and screenshots are welcome!):
You will still be logged into account even if you close your browser. This can be a security problem if you close your browser and you will think that this would auto log you out, but in Brave browser this won’t happen.

Expected result:
For a cookie with expiration date of “When browser session ends”, to be deleted when you close your browser.

Reproduces how often:
Every time.

Operating System and Brave Version(See the About Brave page in the main menu):
Fedora 36 (Linux) rpm from your official repository

But I have also tried on Windows with newly installed Brave Browser.

Additional Information:
Browser session ends in every browser (FireFox, Chromium, Edge) when you close it, except in Brave.

chh_68 · July 8, 2022, 5:24pm

It ends, there is no known bug for the recent release.

The problem seems to be from your end.
See if any cookies are added in ‘sites that always use cookies’ in brave://settings/cookies

rabbitcompany · July 8, 2022, 5:38pm

I have changed it to “Allow all cookies” and the problem is still there.

This are some settings form my php.ini

[Session]
session.save_handler = files
session.use_strict_mode = 1
session.use_cookies = 1
session.use_only_cookies = 1
session.name = SSID
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
; https://php.net/session.cookie-lifetime
session.cookie_lifetime = 0

It should auto log me off when you close and reopen the browser, but this doesn’t happen with Brave, but it does with all other browsers.

rabbitcompany · July 8, 2022, 5:43pm

I have also tried on newlly installed Brave Browser on Windows (Without any changes) and it is still keeping me logged in.

For security I would want for a Brave browser to delete this cookie so session id would be deleted as soon as your close your browser.

Mattches · July 8, 2022, 8:25pm

@rabbitcompany,
Are you clearing cookies by way of History --> Clear browsing data --> [On exit]?

rabbitcompany · July 8, 2022, 8:33pm

By default Browser session should end when you close your browser like it does on every other browser.

It’s even written in the PHP documentation (https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime)

Brave doesn’t seems to end browser session when you close the browser.

Mattches · July 8, 2022, 8:35pm

It does, unless you have any extensions installed that run in the background. What I’m asking is how you are setting the cookies in question to be cleared when the browser is closed.

CerealLover · July 8, 2022, 8:49pm

If enabled, try disabling Continue running background apps when Brave is closed

rabbitcompany · July 8, 2022, 9:05pm

I’m just using PHP sessions. So PHP will auto generate this cookie and put session ID/key inside. By default and also recommended by PHP, session.cookie_lifetime is set to 0, that means cookie will last as long as the browser session will also last.

If I set cookie lifetime to 20 minutes for example. Even if user will close the browser it will still be logged in when it comes back (If it comes back before 20 minutes has expired).

I would rather prefer to be deleted when someone close the browser, but in brave I have even turned off the computer and turned it back on next day and I was still logged in. So Browser session wasn’t deleted even after rebooting the computer.

Another option would be to leave session.cookie_lifetime to 0 as it is now. But that means for some users like me Browser session could never expire.

It would be great if it would be possible to mix those 2. For example cookie should expire as soon as browser session ended or certain amount of time has expired.

I also know that I can just change the expiration of the cookie to yesterday from javaScript to destroy it. But this won’t be possible as I have also disabled option to get cookie data from javaScript for better security. With:

; Whether or not to add the httpOnly flag to the cookie, which makes it
; inaccessible to browser scripting languages such as JavaScript.
; https://php.net/session.cookie-httponly
session.cookie_httponly = 1

I have a PWA installed, so this is probably the reason when browser session doesn’t end.

Do you guys have any suggestion what would be the best thing to do in terms of security?

fanboynz · July 8, 2022, 10:04pm

Every time the user logs in, does just reset the time back to 20mins? Can you compare Chrome and Brave handling here?

system · August 7, 2022, 10:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Brave Browser Not Removing Session Cookies on Exit Browser Support macos	4	650	March 9, 2023
Brave loses all sessions and some saved passwords on close/restart Desktop Support linux	3	394	December 14, 2023
Cookies not deleted On-exit despite the setting Desktop Support windows	6	661	September 22, 2023
Logsout when tab is closed instead of window Desktop Support windows	5	613	May 29, 2022
Extensions logging me out everytime i close the browser Browser Support windows	4	339	September 25, 2022
Brave clearing cookies when I close tabs Desktop Support windows	15	1406	May 29, 2022
Brave keeps logging me out after closing the browser Desktop Support windows	5	9311	May 20, 2022
Some BAT disappears and allowed cookies are deleted when all tabs are closed Desktop Support windows	1	225	March 1, 2021

Browser session doesn't end when you close the browser

Related Topics