4

I recently found out that if someone checks "Continue where I left Off" in Chrome, cookies and sessionStorage persist between browser restarts. In addition, some threads talk about Chrome background processes staying open even after you shut down the browser. And thread after thread after thread from Stackoverflow and many other websites has many people asking the same question, but no one actually posting a real solution to the problem. Chrome not clearing SESSION COOKIES on close/exit

I thought maybe I could detect them shutting down the window/tab, but this doesn’t work either: javascript detect browser close tab/close browser

I checked on the issue in Chrome, figuring someone had reported it by now and found that they have no plans to fix this: https://bugs.chromium.org/p/chromium/issues/detail?id=128513

Also see here: Chrome doesn't delete session cookies

Using sessionStorage in javascript will also persist between closes of tabs and windows if "Continue where I left Off" is checked and I cant expect the end user to change that setting.

The internet still carries on so I'm wondering what the fix to this problem is?

One article I read said they started setting the expiration date of their cookies to 1 hour: http://erlycoder.com/111/google-chrome-session-cookie-expiration-issue-feature-your-personal-data-is-insecure-now-

Sure, I can set expiration dates on my cookies, but even if I set the value to say '1 Hour', if the user closes the tab and re-opens it inside of an hour then problems arise.

Suggestions?

Josh Whitlow
  • 481
  • 6
  • 25
  • 2
    Why is it a problem? Sessions staying 'open' in these cases is a feature, or at least that is how Chrome considers it. As is said in the bug report : `We changed it because "continue where I left off" means "continue where I left off"` That's a perfectly reasonable stance. Like you say yourself, "The internet still carries on", so what is the problem exactly? – Karl Reid Jun 15 '17 at 15:50
  • 2
    You could set an expiry time in your session that's refreshed with every page load. If a page is loaded after that expiry time just respawn the session and the appropriate cookie - essentially how you'd do it if you wanted to enforce a timeout after x minutes of inactivity. – CD001 Jun 15 '17 at 15:58
  • @KarlReid Because in my application, cookies being held on to is causing issues. I need a completely fresh set of cookies and when they come back to the page with older cookies, parts of the application do not work right without clearing the cookies. Not to mention this is arguably a violation of coding standards: w3.org/Protocols/rfc2109/rfc2109, ......."CD001", lets say I set the expiration timer to 30 minutes, they close the browser and after 10 minutes, then remember they forgot to get something and come back, only to have strange behavior occur. – Josh Whitlow Jun 15 '17 at 16:05
  • 2
    That is a problem with your code not theirs. You might want to re-work your design to account for this, since Firefox, Opera, Vivaldi, Edge might decide to add this behavior too. – Dave S Jun 15 '17 at 16:08
  • @DaveS Firefox [already](https://bugzilla.mozilla.org/show_bug.cgi?id=345345) does the same thing. It's a completely normal thing. If you want this "continue where I left off"/"session restore" concept, this is just how it works and is normal behaviour. – Karl Reid Jun 15 '17 at 16:16
  • Answered the question based on the advice to make changes to the application. I decided to implement an activity expiration to solve the issue. – Josh Whitlow Jun 15 '17 at 18:27

1 Answers1

0

Taking from other posts on stackoverflow as well as taking the comments on my question about re-working the app, I combined some posts to clear cookies and the session variables after 1 hour.

Credit:

  • How do I expire a PHP session after 30 minutes?
  • Best way to completely destroy a session - even if the browser is not closed

  • http://php.net/manual/en/function.setcookie.php

    if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 3600)) {

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    if (isset($_SERVER['HTTP_COOKIE'])) {
        $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
        foreach($cookies as $cookie) {
            $parts = explode('=', $cookie);
            $name = trim($parts[0]);
            setcookie($name, '', time()-1000);
            setcookie($name, '', time()-1000, '/');
        }
    }

    session_unset();
    session_destroy();

    echo '<script>window.location= "login.php?pre_action=session_expired";</script>';
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Josh Whitlow
  • 481
  • 6
  • 25