Latest Brave update potentially sharing cookie/cache data with private sessions?

Browser Support Desktop Support
, , ,
1

Description of the issue:

I always use a private session so sign-in to “personal” things, such as banking and email etc. As of recently, when I sign-in to my Google account (specifically gmail), it also seems to half-sign-in on the non-private browser window. I can see my Google account icon when I go to YouTube etc, but cannot access any of my account settings without being prompted to sign-in again (while still being fully signed-in on the private window).

The Google account that I discovered this on has only recently been created, and so the majority of the privacy settings are default. When I check the activity history, it seems it’s been tracking browsing activity cross-session since the account’s creation - If I’m signed-in to the private session, Google is also tracking my activity in the regular, non-private session.

Brave 1.83.118 (Official Build) (64-bit) | Chromium: 141.0.7390.108

However, I also have another portable version of Brave for when I want to sign into multiple accounts at once and after testing, this issue does not occur - the portable build version is slightly behind.

I have also tried:

  • Installing a clean Brave portable instance. Completely default, out of the box settings - the issue does not occur. Version (portable):
    Brave 1.80.115 (Official Build) (64-bit) | Chromium: 138.0.7204.97
  • Installing Brave Beta. Completely default, out of the box settings - the issue does not occur. Version (beta):
    Brave 1.84.124 (Official Build) beta (64-bit) | Chromium: 141.0.7390.108
  • I also completely removed Brave (from another device) using RevoUninstaller and reinstalled it. Completely default, out of the box settings - the issue does not occur. Version (official):
    Brave 1.83.118 (Official Build) (64-bit) | Chromium: 141.0.7390.108

Sooo this tells me it’s probably something to do with my settings… I guess?

However; Part 2: It’s only the new Google account that has the issue. I have my primary Google account, where many of the privacy settings have all been turned off. This account does not have the weird cross-session issue. I’ve tried to enable some of the privacy settings on the other account, but I can’t seem to replicate it.

Is this a Brave issue, or is Google trying to be extra, super annoying?

Steps to Reproduce (add as many as necessary): 1. 2. 3.

  1. Create a Google/gmail account(?)
  2. Using a private window, sign-in to gmail
  3. In the same instance, but in the non-private window, go to a Google service like YouTube
  4. You should be kind of signed-in, and your search activity will show up on your account

Some Other Information:

All of my browsing data is set to be deleted on-exit, except for a few (see image)

image
image507×524 15.1 KB

(Hosted app data (off-screen) is unchecked)

My extensions - all are enabled for private browsing:

2

Thanks for the detailed report.
I just tested this on my end and don’t see this behavior. However, I’m not entirely clear on what I’m looking for – what exactly is “half signed in”? When I performed the test, I made a. fresh profile, signed into my gmail account in a private window, went back to the normal browsing window and visited YouTube.com.

The page appears the same way it does when I’m not signed in – the Sign in button is displayed on top, there is no history (search or otherwise) shown, and all the videos appear to be whatever would appear on the YT front page.

There shouldn’t be any way for your session data from the private window to be stored/retained in the standard browsing window. The only way this would occur is if, in the Private window, you also sign into youtube and then return to the normal browsing window and sign into Youtube there as well. You would then see any activity that occurred in the Private window (like searches, watch history, etc) because that data is tied /stored on your account, not in the browser specifically.

If you can provide some more information about what exactly “half signed in” means may be able to look deeper into this. Would it be possible for you to share a screen recording of what you see on the normal browsing page when you visit youtube (after signing into gmail in the Private window)?

3

May I suggest reading this blog article, and maybe some more of that blog as well.

Private Browsing Mode Explained Article:

Privacy Crash Course (including an article on Living without Google):

I’m curious as to why people even bother using Private Tabs/Windows, it’s really only useful for hiding your tracks from people living with you and/or sharing your device.

I also find Forget me when I close this site master switch turned on under brave://settings/shields (then turning it off per site as necessary)
+
As well as changing default Allow... INSTEAD to Delete... in brave://settings/content/siteData
(and again modifying per site)

More helpful, rather than dealing with brave://settings/clearBrowserData - I only use this if I’m taking my laptop out of my home/travelling.

Signing into EVERY account EVERY time can be annoying when there is really no difference in keeping a few things around for convenience sake.

But that’s just me, if you need to hide things from your family/roommates, fair enough.

4

What I mean by “half signed in“ is that:

When you normally sign-in to your account, the account’s profile image will appear on the top right of the page when using a Google service. Clicking it will expand and show account-related options.

When I sign into my account through a private window, some accounts also seem to do this “half-sign-in“ thing, where the profile image is in the top right of the normal session. If I go into the account activity, I can see that it’s tracking search history in the non-private window - the one that’s not supposed to be signed in.

image
image338×809 24 KB

This is an image of what’s shown on the normal window, after only signing-in to the private browser. Clicking any of these options prompts you to sign-in though

I would say that it’s just Google being Google, but I’ve tested multiple accounts with multiple browsers/versions, and nothing is consistent

5

I’m aware of what private browsing can/cannot hide, and I fully understand that there are many ways to be tracked online. Using a private session is just a personal preference. It allows for me to me to keep cookies/cache separate from my normal session activity - just doing some extra little things to minimize activity data association with a specific account

1 Like
6

Fair enough, not everybody does as I said, and wasn’t sure with what you shared, I’ll leave you in Mattches’ hands :folded_hands:

1 Like
7

@Mattches

Small Update:

So I’ve been testing, and the account I mentioned before that “doesn’t do it“, does actually do it - even with all of the account privacy settings set to “off”. But only when:

  • If I sign-in using a passkey (using Bitwarden), everything works as expected. The normal session does not sign-in.
  • If I sign-in to that same account, under the same conditions, but instead using a user/pass (and 2FA auth code), the main browser session does sign-in

Some things I can’t explain is why this behaviour only happens on this one installation of Brave (official), on this machine. The portable versions don’t do it, nor does Brave Beta, and the official installation on another machine also doesn’t do it.

I’ve tested this multiple times and across multiple accounts - passkeys are fine; user/pass is not (specifically on this one machine)

I will wait for your response, in case there is anything you’d like me to test, but I think I’m just going to do a fresh install of Brave and see if I still get the same issue afterwards

Edit:

Whether it’s Brave, Google, or both, I’m not sure, but it definitely something to do with how you authenticate. I just added a passkey to the account I was originally having the issue with, and if I login using it (through the private browser), I don’t get weird cross-session.

Again though, this is only an issue on a single installation, on a single machine. When I initially installed Brave, I did go through and change most settings, so it could something there, although I feel like this shouldn’t happen regardless - especially given that most of the settings I changed were disabling cache etc.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.