Google Chrome restores session cookies after a crash, how to avoid?

Question

On Google Chrome (I saw this with version 35 on Windows 8.1, so far I didn\'t try other versions) when browser crashes (or you simply unplug power cable...)

Answer 1

I didn't find anything I can use as process id to be sure Chrome has not been restarted but there is a dirty workaround: if I setup a timer (let's say with an interval of five seconds) I can check how much time elapsed from last tick. If elapsed time is too long then session has been recovered and logout performed. Roughly something like this (for each page):

var lastTickTime = new Date();

setInterval(function () {
    var currentTickTime = new Date();

    // Difference is arbitrary and shouldn't be too small, here I suppose
    // a 5 seconds timer with a maximum delay of 10 seconds.
    if ((currentTickTime - lastTickTime) / 1000 > 10) {
        // Perform logout
    }

    lastTickTime = currentTickTime;
}, 5000);

Of course it's not a perfect solution (because a malicious attacker may handle this and/or disable JavaScript) but so far it's better than nothing.

New answers with a better solution are more than welcome.

Answer 2

Adriano's suggestion makes is a good idea but the implementation is flawed. We need to remember the time from before the crash so we can compare it to the time after the crash. The easiest way to do that is to use sessionStorage.

const CRASH_DETECT_THRESHOLD_IN_MILLISECONDS = 10000;

const marker = parseInt(sessionStorage.getItem('crashDetectMarker') || new Date().valueOf());

const diff = new Date().valueOf() - marker;
console.log('diff', diff)

if (diff > CRASH_DETECT_THRESHOLD_IN_MILLISECONDS) {
    alert('log out');
} else {
    alert ('ok');
}

setInterval(() => {
    sessionStorage.setItem('crashDetectMarker', new Date().valueOf());
}, 1000)

To test, you can simulate a Chrome crash by entering chrome://crash in the location bar.

Don't forget to clear out the crashDetectMarker when the user logs out.