On last week’s episode of the Security Now podcast (Listener Feedback #147, transcript at http://www.grc.com/sn/sn-360.htm), listener Anthony in Melbourne, Australia informed Steve Gibson and the world of a surprising fact. Of the three major browsers, only Internet Explorer respects session cookies properly. By respects, I mean that any web site session cookie should only reside in transient memory and not be persisted to your hard drive.
It appears that for a while now, both Firefox and Chrome have, for the convenience of their users, restored session cookies between browser shut down and restart. This is convenient, but insecure. Only persistent cookies should restore in this way. A common example of the usage of persistent cookies is when you check “keep me logged in” or “remember me” when logging into a site.
Neither Mozilla nor Google seem inclined to revert to the correct secure behavior that IE has kept. If you really love using their browsers (like me), but want to fix this, I’ve given the steps below.
As discussed on the podcast, the way to get the correct secure behavior back in Firefox is to browse to about:config, enter ‘sessionstore’ in the search box, and change browser.sessionstore.privacy_level from 0 to 2.
I had to dig around for this one. It seems from the discussion at http://goo.gl/YyHiL that the session cookie-restoring behavior is only in the case where “Continue where I left off” is selected in Chrome’s settings. Note in the picture below, I did not have this set:
Make sure “Continue where I left off” is not selected in your browser either. In addition (from http://code.google.com/p/chromium/issues/detail?id=130291#c27): Browse to chrome://flags, Press CTRL-F and enter ‘disable better’ to jump to the “Disable Better session restore” flag. Enable it.