How to Fix Firefox and Chrome Default of Retaining Session Cookies Insecurely

On last week’s episode of the Security Now podcast (Listener Feedback #147, transcript at http://www.grc.com/sn/sn-360.htm), listener Anthony in Melbourne, Australia informed Steve Gibson and the world of a surprising fact. Of the three major browsers, only Internet Explorer respects session cookies properly. By respects, I mean that any web site session cookie should only reside in transient memory and not be persisted to your hard drive.

It appears that for a while now, both Firefox and Chrome have, for the convenience of their users, restored session cookies between browser shut down and restart. This is convenient, but insecure. Only persistent cookies should restore in this way. A common example of the usage of persistent cookies is when you check “keep me logged in” or “remember me” when logging into a site.

Neither Mozilla nor Google seem inclined to revert to the correct secure behavior that IE has kept. If you really love using their browsers (like me), but want to fix this, I’ve given the steps below.

Firefox

As discussed on the podcast, the way to get the correct secure behavior back in Firefox is to browse to about:config, enter ‘sessionstore’ in the search box, and change browser.sessionstore.privacy_level from 0 to 2.

SNAGHTMLf523d9

Chrome

I had to dig around for this one. It seems from the discussion at http://goo.gl/YyHiL that the session cookie-restoring behavior is only in the case where “Continue where I left off” is selected in Chrome’s settings. Note in the picture below, I did not have this set:

SNAGHTMLf96971

Make sure “Continue where I left off” is not selected in your browser either. In addition (from http://code.google.com/p/chromium/issues/detail?id=130291#c27): Browse to chrome://flags, Press CTRL-F and enter ‘disable better’ to jump to the “Disable Better session restore” flag. Enable it.

SNAGHTMLfbe8fc

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s