Chrome Session Cookie Handling Vulnerability - parker0phil/parker0phil.github.io GitHub Wiki

Problem

  1. Chrome persists session cookies between sessions, clearing them when a new session starts as opposed to when a previous session ends.
  2. Certain plugins (including Google provided ones) cause the session cookies NOT to be cleared even when the new session starts.

Details

Chrome persists session cookies between sessions, clearing them after a new session starts as opposed to when a previous session ends.

This behaviour is in direct contravention to the RFC which states:

Max-Age=delta-seconds: Optional. The Max-Age attribute defines the lifetime of the cookie, in seconds.

and

Max-Age: The default behavior is to discard the cookie when the user agent exits.

Certain plugins (including Google provided ones) cause the session cookies NOT to be cleared even when the new session starts.

Extensions known to cause this behaviour

(you may want to remove these until the problem is fixed!)

  • Google Hangouts
  • Advanced REST Client

Let me know if you find more extensions that cause this and I'll add them to the list. I'd be interested to know if anyone with Extension development knowledge can identify what property of these extensions is causing this behaviour.

Recommendation

  1. Chrome should prevent persisting session cookie values to disk completely. Session cookies with non-expired Max-Age values should be persisted on exit and cleared (if subsequently expired) on start up.
  2. A separate extension permission should be added for "Access to Secure Cookies" and Chrome should defend against extensions without this permission interfering (intentionally or not) with the behaviour of cookies.