Chrome - Why am I automatically authenticated to a web app even after clearing browser cookies?

Question

I am accessing a web application using Chrome. If I sign out of the app and clear all Chrome history/cookies/etc (even Flash cookies which are now handled by Chrome in the same Clear History area) and then re-access the site, I am automatically logged in without being prompted for credentials.

I then launched Chrome in Incognito mode and was able to reproduce the same behavior. However, the I was prompted upon the first logon while in Incognito mode.

The web application behaves as expected in Internet Explorer 10.

Some info about the application:

• It's a Sharepoint site using NTLM authentication
• The credentials are Active Directory-based, as the username is domain\username
• My connection is over the Internet and there is no AD relationship between my local Windows account, my Windows PC. In other words I (meaning my locally logged on user and my PC) are not in any way part of their AD domain.
• The site is running SSL on port 443

Why might Chrome be automatically authenticating me?

Answer 1

I have same issue. I used to log on to one web site with credentials and now I can't log on using any others. When I log off and try to log on again Chrome puts Authorization header automatically without asking. The site uses local users database (no AD but plain .htpasswd file) and uses Basic authentication.

Already tried cleaning all cookies and saved passwords. No luck. And this happens only on Chrome and only on one PC (on other PCs in Chrome with my Google account it works properly and asks for credenticals after logon)

I've found a workaround for the issue as my main goal was to authenticate as different user. I have run the Fiddler and enabled breakpoints there. So upon request with Authorization header I've forced 401 response and thus made authentication window to appear. Then I've provided necessary credentials and my problem was fixed.

However it doesn't answer the question where those credentials are stored

Answer 2

That site is probably using local storage^[1][2] which is like cookies for HTML5.

It has been asked, how to clear the local storage, but unfortunately, Chrome does not currently include local storage in the Clear Browsing Data dialog. In the meantime, you can do it manually by deleting the file(s) corresponding to that site under the Local Storage folder of your User Data Directory.

Answer 3

Chrome appears to cache credentials when you enter them into a prompt for Basic Authentication. Subsequent requests automatically add an Authorization header to each request with an encoded value which allows these requests to skip the need prompt for these credentials.

I ran into this myself recently and after doing a bit of research I ran into the following articles which may help explain the behavior and provide additional ways to clear these cached credentials which may fit your needs.

Resources:

• https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

• https://stackoverflow.com/questions/5957822/how-to-clear-basic-authentication-details-in-chrome

• https://bugs.chromium.org/p/chromium/issues/detail?id=108291

• https://bugs.chromium.org/p/chromium/issues/detail?id=147627

• How do I log out with HTTP Basic?

• https://wonderproxy.com/blog/testing-http-basic-auth/

Answer 4

Uncheck "Continue running background apps when Google Chrome is closed" in Chrome settings and clear browser data.

Answer 5

This does not answer the question, but it is a work-around for changing credentials:

1. Go to Internet Options
2. Click the Security tab
3. Click on your best-guess for what zone you think the website may be under. For me, I was using the wrong credentials on a work intranet site, and my domain admins had automatically added the URL to "Local Intranet". I didn't have permission to edit "Sites" at all, I could at least look.
4. For that zone, click "Custom level..."
5. Scroll all the way to bottom and choose "Prompt for user name and password"
6. Click "OK" to save
7. Restart Chrome so that it will pick up the new settings
8. Navigate directly to the website in question.
   At first I was prompted for the main intranet website (my home page) and entered my credentials. Then I clicked a link for the site in question, which has the same domain, but a different subdomain. I was not re-prompted. I restarted Chrome again, canceled out of the first prompt, and when I navigated directly to the URL in question, I received a prompt and was able to change my credentials for that site.
9. Once you have successfully authenticated with the "correct" account, you can change the settings back for auto-login, since Chrome now knows the latest credentials.

Credit for the idea goes to https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/