"Continue where you left off" Keeps Login Credentials and/or Tokens

Enabling “Continue where you left off” is caching login credentials even if site preferences are set to not save usernames/passwords.

Specifically, this is happening with our Bank’s website. With this option enabled, closing the browser window by either quitting or rebooting does not clear the login credentials/tokens and upon relaunch of the browser, it automatically navigates to the site AND logs in.

We have not tested this with other bank websites but can repeat the behavior with our bank’s website. This issue does not present with Safari, Chrome, MS Edge or Firefox.

To reproduce the glitch, all we have to do is have the option to “continue where you left off” enabled, log into the website and then quit the browser. Upon relaunch, it opens the webpage and logs in.

The settings for saving usernames/passwords is disabled. Shields are disabled and clearing the history resolves the issue only until the next time it is cleared. By selecting “Open the new tab page” option, this behavior ceases.

Yes, an easy “solution” is to keep the browser set to “new tab” on startup, however the issue of login tokens being somehow cached even when it is set to prohibit saving passwords presents a security risk. While this might only be happening with one website (so far), that it is happening at all seems to contradict the security protocol of not saving passwords.

If another user has access to the PC/Mac and sets the browser preferences back to “continue” before someone keys in a username/password, the browsing history provides access to the protected account. We are able to repeat this behavior.

This happens on both Mac (Catalina) as well as PC (Windows 10) — and again, this is repeatable by simply changing the “on startup” setting.

This issue has not been tested on any other platforms. Both desktop devices are running the latest version of Brave (Version 1.20.108 Chromium: 88.0.4324.182)

Our expectation is that once the “save password” option is disabled, that closing/quitting the browser would clear all or a portion of the login credentials/tokens making it necessary to retype them for access to that specific account.

Any insight is welcome. Maybe this is user error. Thank you.

@el_cubano,
Thank you for reporting this. I’m testing and looking into this now, will reply when I have more information. Thanks for your patience.

@el_cubano,
Actually – I think that you will need to also toggle off the Auto sign-in option in brave://settings/passwords as well – located under that same option to save passwords:

@Mattches Thanks for your posts!

We have already turned this option off and just to be certain the issue is still repeatable, changed the startup setting back to “continue”, quit the browser and relaunched the browser.

Same result… logged us right into the bank account.

@el_cubano
I think this is cookie related, because the site is detecting a save cookie it’ll automatically do the login.

As a test, just clear the cookie for the website, then restart the browser. I don’t think it’s specifically a Brave fault/issue, would suspect other Browsers (Chrome/Firefox) would also do the same thing.

@fanboynz Thanks for the suggestion! We have been using Chrome for the last year with this site and did not encounter the issue. The site is indeed storing a cookie identifying the browser as trusted however this does not (or is not supposed to) extend to the actual login credentials. The cookie eliminates the need for 2FA so the user can securely log in but with less steps. Chrome has been working as expected, but presents other unrelated issues which is why we are looking to use Brave. Additionally, with Brave, the cookie still functions (and as expected) when the “on startup” setting is set to “new tab”. My guess is that the history is not only saving the “trusted” state of the browser but also the token(s) that allow the actual log in. Thoughts??