Private Tab Session Leakage

I am having issues where login sessions are leaking to and from Private Tabs. I don’t use Private Tabs with Tor as they do not work on many of the hotspots I access, so I cannot say if they are affected. I often log into CMS systems in a private tab to avoid then putting an editor UI over the front end website. As such I am probably keep track of my sessions over a mixed set of tabs more than other people.

It is not something that happens all the time, so its not readily reproducible. However, it happens to me multiple times of day, and across several machines, network environments and OSes. When it happens I have to either log out or dump my cache and restart the browser windows to get back to where sessions are isolated.

Steps to Reproduce (must be repeated until it appears):

  1. Open Brave
  2. Open normal tab and visit a site.
  3. Open a Private Tab to the same site and login.
  4. Go back to the normal tab and refresh the page.
  5. Occasionally the page will reload with you logged in.

Also

  1. Open Brave
  2. Open normal tab and visit a site.
  3. Open a Private Tab to the same site.
  4. Login on the normal tab.
  5. Go back to the Private tab and refresh the page.
  6. Occasionally the page will reload with you logged in.

I have had this with Google services and Company sites. It will even work if you make New Session tabs as well, which I assume should not share sessions. I find this concerning as I often use Private tabs to avoid cross contamination with my personal and work accounts. As such I am noticing topic I have searched for in my phone news feed when I should have been logged into my work account or logged out.

The Android version (1.0.54 Chromium 68.0.3440.91 / PIxel 2 XL 9.0.0) does not seem to have this problem. All problems have been observed on Windows 7 Professional, Windows 10 Home and Window 10 Professional.

Brave Information:

Brave 0.23.79
V8 6.8.275.24
rev 51b4905
Muon 8.0.7
OS Release 10.0.17134
Update Channel Release
OS Architecture x64
OS Platform Microsoft Windows
Node.js 7.9.0
Brave Sync v1.4.2
libchromiumcontent 68.0.3440.84

Please let me know if there is a better way to capture information for you. I will try to capture video next time it starts happening.

First idea: Have you tried “Strict site isolation”?

Next idea: Brave has numbered “session tabs”, have you tried opening the login-tab in another session?
Edit: I just tried this and it seems to work: There’s website where I am logged in since several hours (not this forum). In a new session tab, I’m not logged in there.

I assume that a cookie will be set with your login-credential after you logged in, many sites do it this way. Now when you switch back to the non-login tab, it with check for the cookie once in a while - oh, there is one :slight_smile: - and happily switch its own status/surface over to your logged-in one. Brave has no reason to lie to the site when it makes an absolutely valid request. Thus I guess that not much could be done against that, except maybe “Strict site isolation” (but it’s still the same site, so this may work or not) and (more likely) a different session tab number.

But you should have the same problem in all other browsers. If it won’t happen by itself, then it should happen when you refresh the page. No?

It still does this with numbered session tabs. No other browsers have this behavior including Chrome and even Brave on Android.

I will look into isolation but the bleeding of sessions should not be happening. Isolation of sessions between normal and private/incognito tabs has been a base feature since browsers started using it.

Then this requires someone with better knowledge than me.
@Mattches Brave on Windows has a problem that Brave on Android does not have = I’m outsmarted and need help with helping :slight_smile:

Hi @umbrae, this is definitely a concerning issue so thanks for reaching out (also for being thorough in your report).

Unfortunately I don’t have a solution at this time. When looking through our GitHub issues, this is the closest match to the behavior you’re describing.

I’m going to dig around internally and see if I can get any additional information but in the event that I can’t, I’ll log one on your behalf and post the link here so you can track it’s progress.

Thanks @Mattches! That would be great. Does sound like that issue is similar. I will see if i see that happening as well.

I am a software engineer so happy to provide any info I can on this. I am frustrated its not reproducible on command so I could gather more information.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.