Description of the issue: Browser session will still persist even if you close your browser and reopen it. This shouldn’t happen for security reasons.
Steps to Reproduce (add as many as necessary): 1. 2. 3.
Have a cookie that should be deleted when browser session ends (When you close the browser)
Close your Brave Browser
Open Brave Browser again and your cookie will still exist.
Actual Result (gifs and screenshots are welcome!):
You will still be logged into account even if you close your browser. This can be a security problem if you close your browser and you will think that this would auto log you out, but in Brave browser this won’t happen.
Expected result:
For a cookie with expiration date of “When browser session ends”, to be deleted when you close your browser.
Reproduces how often:
Every time.
Operating System and Brave Version(See the About Brave page in the main menu):
Fedora 36 (Linux) rpm from your official repository
It does, unless you have any extensions installed that run in the background. What I’m asking is how you are setting the cookies in question to be cleared when the browser is closed.
I’m just using PHP sessions. So PHP will auto generate this cookie and put session ID/key inside. By default and also recommended by PHP, session.cookie_lifetime is set to 0, that means cookie will last as long as the browser session will also last.
If I set cookie lifetime to 20 minutes for example. Even if user will close the browser it will still be logged in when it comes back (If it comes back before 20 minutes has expired).
I would rather prefer to be deleted when someone close the browser, but in brave I have even turned off the computer and turned it back on next day and I was still logged in. So Browser session wasn’t deleted even after rebooting the computer.
Another option would be to leave session.cookie_lifetime to 0 as it is now. But that means for some users like me Browser session could never expire.
It would be great if it would be possible to mix those 2. For example cookie should expire as soon as browser session ended or certain amount of time has expired.
I also know that I can just change the expiration of the cookie to yesterday from javaScript to destroy it. But this won’t be possible as I have also disabled option to get cookie data from javaScript for better security. With:
; Whether or not to add the httpOnly flag to the cookie, which makes it
; inaccessible to browser scripting languages such as JavaScript.
; https://php.net/session.cookie-httponly
session.cookie_httponly = 1
I have a PWA installed, so this is probably the reason when browser session doesn’t end.
Do you guys have any suggestion what would be the best thing to do in terms of security?