geometrix - Fotolia

Controversial Chrome login feature to be partially rolled back

Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature.

Google says it has heard the criticism to recent changes in its Chrome browser, and the company will make some changes in order to appease users.

Google recently came under fire for changes to its Chrome login feature. Previously, users could choose whether or not to sign in to the browser itself, separately from signing in to Google's various web properties. However, in Chrome version 69, Google connected those separate login functions so the browser would automatically sign-in to the user's Google account when that user signed into a Google product like Gmail or Youtube.

Many people criticized the new Chrome login functionality and Google has announced it will at least partially change how Chrome login works.

"While we think sign-in consistency will help many of our users, we're adding a control that allows users to turn off linking web-based sign-in with browser-based sign-in -- that way users have more control over their experience," Zach Koch, product manager for Chrome, wrote in a blog post. "For users that disable this feature, signing into a Google website will not sign them into Chrome."

A Google spokesperson confirmed that the forced Chrome login feature will still be turned on by default and users will need to opt out. The changes are planned for Chrome version 70 due out in mid-October.

One of the loudest critics of the Chrome login change, Matthew Green, cryptography expert and professor at Johns Hopkins University's Information Security Institute, praised Google on Twitter for its swift response but added that the automatic sign-in was still "much more invasive" than the browser had been.

Cookie time

In addition to the Chrome login controversy, Google was called out for an odd practice with Chrome cookies. Christoph Tavan, CTO and co-founder of ContentPass, based in Berlin, discovered that Chrome's default when a user chose to clear all cookies was to clear all cookies except for those from Google, which were retained so the user would stay logged in to Google services.

Tavan said that Chrome notified users on the "Clear Browsing Data" settings page that they wouldn't be signed out of Google services, implying those cookies wouldn't be deleted, but on the settings page to view cookies, Chrome showed a "remove all" button that did not have a similar warning.

Koch said Chrome version 70 would change this behavior as well.

"We're also going to change the way we handle the clearing of auth cookies. In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared," Koch wrote. "We will change this behavior that so all cookies are deleted and you will be signed out."

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing