Chrome - Why am I automatically authenticated to a web app even after clearing browser cookies?

13

4

I am accessing a web application using Chrome. If I sign out of the app and clear all Chrome history/cookies/etc (even Flash cookies which are now handled by Chrome in the same Clear History area) and then re-access the site, I am automatically logged in without being prompted for credentials.

I then launched Chrome in Incognito mode and was able to reproduce the same behavior. However, the I was prompted upon the first logon while in Incognito mode.

The web application behaves as expected in Internet Explorer 10.

Some info about the application:

  • It's a Sharepoint site using NTLM authentication
  • The credentials are Active Directory-based, as the username is domain\username
  • My connection is over the Internet and there is no AD relationship between my local Windows account, my Windows PC. In other words I (meaning my locally logged on user and my PC) are not in any way part of their AD domain.
  • The site is running SSL on port 443

Why might Chrome be automatically authenticating me?

Howiecamp

Posted 2013-10-24T15:06:14.627

Reputation: 1 438

I met the same issue. I think it's Chrome remembering NTLM credential until the window is closed, just like how Chrome (and other browsers) treats basic authentication. Note that this is different from the "save password" functionality, which pre-fills the pop up instead of preventing it.

– Franklin Yu – 2017-08-16T19:50:54.767

I tried latest Firefox and it has the same issue, so it's not Chrome-only. – Franklin Yu – 2017-08-17T13:29:06.827

If its using AD then its likely not using basic http authentication. If you already authenticated your AD credentials thats likely the reason Chrome isn't asking you to autheitcate again. – Ramhound – 2013-10-24T15:10:48.920

@Ramhound - Good catch. I verified with F12 tools that it is using NTLM authentication. But in any case, how is the site remembering me if I am clearing all browser cookies? There still needs to be a session mechanism to determine that I am the same person as before. Also just to clarify, my only authentication is via the browser, eg I am not authenticating in any other way with their domain and there is no relationship between my machine and their domain. – Howiecamp – 2013-10-24T15:25:42.413

@Ramhound - Also don't forget that IE is prompting me again. – Howiecamp – 2013-10-24T15:33:33.990

Use Fiddler or Wireshark to see if it's doing automatic Kerberos/SPNEGO authentication with your login credentials (look for www-authentication: HTTP header, etc). It might be caching your login based on IP or something. This is really a problem you need to debug on the server side, but at least from the client side you will be able to see what kind of auth (if any) it's doing on a clean session, and what information (if any) your browser is sending to the remote site. – allquixotic – 2013-10-24T15:38:59.917

1It's a Sharepoint site using NTLM authentication - The entire point of NTLM authentication is that you don't get prompted for authentiation. Your credentials are automatically passed. If you want to authenticate as a different user, restart your browser and run it as a different user. – Zoredache – 2013-10-24T18:32:34.200

@Zoredache - Keep in mind this is not an intranet app and there is no NTLM/Kerberos communication between my workstation and the server. It's browser-only. Browsers, regardless of the authentication mechanism (NTLM, etc) need some means of maintaining state. My question is how is that state maintained? After I clear browser cookies, cache, etc there should be no means for the server to remmember who I am. – Howiecamp – 2013-10-26T21:36:38.660

Answers

5

I have same issue. I used to log on to one web site with credentials and now I can't log on using any others. When I log off and try to log on again Chrome puts Authorization header automatically without asking. The site uses local users database (no AD but plain .htpasswd file) and uses Basic authentication.

Already tried cleaning all cookies and saved passwords. No luck. And this happens only on Chrome and only on one PC (on other PCs in Chrome with my Google account it works properly and asks for credenticals after logon)

I've found a workaround for the issue as my main goal was to authenticate as different user. I have run the Fiddler and enabled breakpoints there. So upon request with Authorization header I've forced 401 response and thus made authentication window to appear. Then I've provided necessary credentials and my problem was fixed.

However it doesn't answer the question where those credentials are stored

Ralfeus

Posted 2013-10-24T15:06:14.627

Reputation: 196

2

That site is probably using local storage[1][2] which is like cookies for HTML5.

It has been asked, how to clear the local storage, but unfortunately, Chrome does not currently include local storage in the Clear Browsing Data dialog. In the meantime, you can do it manually by deleting the file(s) corresponding to that site under the Local Storage folder of your User Data Directory.

Synetech

Posted 2013-10-24T15:06:14.627

Reputation: 63 242

0

Uncheck "Continue running background apps when Google Chrome is closed" in Chrome settings and clear browser data.

Fergara

Posted 2013-10-24T15:06:14.627

Reputation: 101

0

This does not answer the question, but it is a work-around for changing credentials:

  1. Go to Internet Options
  2. Click the Security tab
  3. Click on your best-guess for what zone you think the website may be under. For me, I was using the wrong credentials on a work intranet site, and my domain admins had automatically added the URL to "Local Intranet". I didn't have permission to edit "Sites" at all, I could at least look.
  4. For that zone, click "Custom level..."
  5. Scroll all the way to bottom and choose "Prompt for user name and password"
  6. Click "OK" to save
  7. Restart Chrome so that it will pick up the new settings
  8. Navigate directly to the website in question.
    At first I was prompted for the main intranet website (my home page) and entered my credentials. Then I clicked a link for the site in question, which has the same domain, but a different subdomain. I was not re-prompted. I restarted Chrome again, canceled out of the first prompt, and when I navigated directly to the URL in question, I received a prompt and was able to change my credentials for that site.
  9. Once you have successfully authenticated with the "correct" account, you can change the settings back for auto-login, since Chrome now knows the latest credentials.

Credit for the idea goes to https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/

emragins

Posted 2013-10-24T15:06:14.627

Reputation: 183

Asked: 2013-10-24T15:06:14.627

Viewed: 11 869 times

Active: 2017-05-11T18:14:24.663