Google Chrome session cookie expiration issue/feature - your personal data is insecure now!

As you may already know since Google Chrome version 19 this popular web browser does not remove session cookies. According to Chrome developers this should improve user experience, but I believe that is a huge security issue. And even if this behaviour may stay available, it should not be default one and should show some warning to the user. However that behaviour is not what all the users and programmers expect from the browser. Now everybody should bother to remove cookies manually to destroy/complete sessions. Sounds quite stupid for me, however this is a reality. That is not a first Google Chrome issue that makes web developer work harder. A few days ago I have described another Chrome issue with rounded corners and non-default positioning.

As usual there are several solutions for this problem.

Client side changes

Open crome settings chrome://chrome/settings/ and change "Continue where I left off" to something different. Sure, browser will not restore your tabs next time you will open it, but at least it will be more secure. I do not believe that lot of people will bother to change settings or even know that their website sessions and personal data is not secure now.

Server side

So, as usual this problem stays for a web developer, as Google Chrome team thinks that everything is perfect. I do not see any other solution than to define expiration time for any cookie. For example to set expiration time for 20 minutes.

To force php session cookes to expire you should update /etc/php.ini file. You should open the file and find the following line:

session.cookie_lifetime = 0

This line means that session cookie expiration time will not be defined and session should expire once browser closed. Unfortunately this not happens with Google Chrome, so we should set expiration time in seconds. For example for 1 hour:

session.cookie_lifetime = 3600

Same changes should be applied to server-side cookies and client-side/javascript cookies. Not a perfect solution, but better than session cookies that do not expire I think.

Let me know if you have some better solution for this issue/feature.

Posted by:
Enjoyed this post? Share and Leave a comment below, thanks! :)