14

I'm developing an app on localhost using:

Google Chrome 33.0.1750.154 m

XAMPP Version 1.8.3

I've been using these for a while now and today all of a sudden Chrome is not clearing session cookies when I close the browser (all windows), even after I restart my machine, session cookies are still set from last session.

I have this code at the top of my page:

<?php
session_start();
if(!isset($_SESSION['userID']))
{
        echo "<script>alert('Username does not exist')</script>";
        echo '<script type="text/javascript"> window.location="login.html";</script>';
        exit(1);
}
?>

Which worked fine, redirecting me to the login page after the browser has been closed, up until a few hours ago.

NOTE:

Tested IE10, IE11, and FF and they DO NOT exhibit the same behavior, they are clearing session cookies as expected.

I have also verified that the

Continue where I left off...

setting is unchecked.

Anybody know what's going on here and how to fix it?

A.O.
  • 3,733
  • 6
  • 30
  • 49
  • Sounds like chrome isn't clearing your session cookie when you close the browser. – Kevin B Apr 03 '14 at 19:54
  • 1
    browsers cannot "clear" session variable. They have NO direct access to $_SESSION. They can either clear the session ID cookie, giving them a brand new empty session, or YOUR server-side code has to empty out $_SESSION. – Marc B Apr 03 '14 at 19:55
  • @KevinB is this known bug? How do I force it to clear session cookies? – A.O. Apr 03 '14 at 19:55
  • It's not a bug, it's a browser setting. though, i'm having trouble finding it, maybe the option to change cookie behavior on browser close is gone now in chrome? – Kevin B Apr 03 '14 at 19:58
  • You could potentially use javascript to kill the cookie when the window is closing. – Brian Warshaw Apr 03 '14 at 19:59
  • Here it is, copy this to your address bar in chrome: `chrome://settings/content` by default, it keeps the cookies even after closing the browser. – Kevin B Apr 03 '14 at 19:59
  • 1
    If other browsers are _really_ clearing ***SESSIONS***, then the internet is in trouble... have you called the pentagon, Kremlin and UN security counsil? Seriously, though, Sessions live on the server. The only thing the browser has is a cookie that tells the server which session to use. If no such cookie is found, a new session is created, and the client will receive a new cookie. If that cookie is not accepted, or is deleted, then that's what is causing that behaviour. it's not PHP's fault, nor chrome's. It sounds to me like a browser-setting issue (perhaps disable private browsing?) – Elias Van Ootegem Apr 03 '14 at 20:02
  • @EliasVanOotegem thanks, but I think MarcB clearly stated that about 5 comments ago – A.O. Apr 03 '14 at 20:03
  • @KevinB you're right, the default was to keep the data around. I checked the "Keep data until I quit browser" option and cleared the cookies, yet the problem persists.... – A.O. Apr 03 '14 at 20:04

2 Answers2

28

Thanks to KevinB for pointing me in the right direction.

Turns out it wasn't the cookie setting like I thought, I ended up keeping that set to:

Allow local data to be set (recommended)

I remembered that

Google NOW

had recently been installed on my machine, and that I allowed it to run in the background when I did not have my browser open, I believe this was the culprit to my session cookies not being cleared.

What ended up fixing this issue was to uncheck the:

Continue running background apps when Google Chrome is closed

setting under the SYSTEM section.

Hope this helps save some headaches....

A.O.
  • 3,733
  • 6
  • 30
  • 49
  • 3
    This would be a problem on end-user machines, right? I see how you can fix it personally, but is there any way to fix it so cookies for the end user are removed when the session is ended? – dst3p Feb 12 '15 at 19:11
  • @dstepan that's the problem here, if the end user has this setting enabled their session doesn't end when they close their browser window because Google keeps it running in the background – A.O. Feb 13 '15 at 19:09
  • 1
    @A.O. yeah, I get that. I was hoping for an answer of how to fix this from an end user perspective, without, you know, having them change default settings in their browser. I ended up just explicitly removing the cookie. – dst3p Feb 14 '15 at 05:55
  • 1
    Details: Killing the background Chrome tasks by hand did NOT help get the cookies cleared. Only turning off the option described above and exiting worked. To be clear, telling Chrome to clear out cookies IN ALL OTHER WAYS in the setting did NOT work. ONLY turning off the "Continue running background apps" and closing Chrome. – jeesty Mar 17 '16 at 15:33
  • 1
    Had another extension behaving the same: Testim Editor – felickz Apr 27 '21 at 19:23
1

The "Continue running background apps" option may work, but we cannot expect the users (clients) to do this with their Chrome web browser. My solution was as follows: They click the "Log out" button - this takes them to a page that is pure PHP (no html code) that is scripted:

<?php
 session_start();
 $_SESSION=array();
 $cookie_parameters=session_get_cookie_params();
 setcookie(session_name(),'',time() -86400,$cookie_parameters['path'],
 $cookie_parameters['domain'],$cookie_parameters['secure'],$cookie_parameters['httponly']);
session_destroy();
header('Location: logout_exit.php');
?>

The "header" part of the code takes them (instantly) to the page "logout_exit.php" (You name your page whatever you like, and can have .html extension rather than .php) And this page is pure html (no php!). Now at this point, if you look in Chrome for cookies, you will see that your cookie is still there! But click following image: Chrome shows cookie deleted, but still there!

The magic is to include a meta tag in your logout_exit.php page (in the header part of the html code) as:

<meta http-equiv="refresh" content="30">

Forcing the browser to automatically refresh (30 = 30 seconds, but choose whatever value you want). Once it's refreshed, if you now look in Chrome, it says "Cookies (0 in use)" and if you click that message, you find the cookie really has been cleared.

Phil
  • 11
  • 2