Closed
Bug 1298452
Opened 8 years ago
Closed 8 years ago
cookie still there after closing Firefox
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 530594
People
(Reporter: montdm, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160817112116 Steps to reproduce: In php, I create a cookie with the instruction : set_cookie("mycookie","anumber"); On php.net, they say that when there is no expire data given (the expire data is an optional data you can give or not as the third argument of setcookie like in set_cookie("mycookie","anumber", time()+3600) : will create a cookie for one hour), the cookie will be destroyed when the browser closes. The exact sentence on http://php.net/manual/en/function.setcookie.php : "If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes)" Actual results: I create a page cookie.php to see the cookies : print_r($_COOKIE); when I call this page after to create the cookie, the cookie "mycookie" is there. I close Firefox, I open Firefox, I go on the page cookie.php : the cookie "mycookie" is still there !!! Expected results: "If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes)" With IE11 and Safari 51.7, the cookie disappeared -> perfect With Firefox 48, the cookie has not disappeared -> very very bad !!! If someone open the browser in a public Internet cafe after I left, he could access the administration of my website and destroy it !!!!!
I just try with the third data at 0 rather than omitted (as suggested by php.net) : set_cookie("mycookie","anumber", 0); Exactly the same pb ! the cookie is still there after !
Maybe an important information : I create the cookie not at the root of my website but in a subdirectory : mywebsite.com/admin/ I didn't try if it works at the root
Comment 3•8 years ago
|
||
I can't reproduce. Some questions: - are you using setcookie or set_cookie? The latter doesn't exist in the PHP function reference so presumably it's a different thing, which maybe defaults to something other than session cookies? You can see what kind of cookie you've created using the Firefox developer tools, i.e. press shift-f2, then type "cookie list". - are you restoring your browsing session, either automatically via the Firefox options about what happens when Firefox starts, or with an add-on, or by pressing "restore previous session" somewhere in the UI? In that case you're hitting bug 530594. - can you provide an online testcase where this reproduces for you?
Flags: needinfo?(montdm)
Comment 4•8 years ago
|
||
Our cookie behavior (sad as I am about bug 530594) is not a secret so this bug can be unhidden.
Group: firefox-core-security
(In reply to :Gijs Kruitbosch from comment #3) > I can't reproduce. Some questions: > > - are you using setcookie or set_cookie? The latter doesn't exist in the PHP > function reference so presumably it's a different thing, which maybe > defaults to something other than session cookies? You can see what kind of > cookie you've created using the Firefox developer tools, i.e. press > shift-f2, then type "cookie list". > > - are you restoring your browsing session, either automatically via the > Firefox options about what happens when Firefox starts, or with an add-on, > or by pressing "restore previous session" somewhere in the UI? In that case > you're hitting bug 530594. > > - can you provide an online testcase where this reproduces for you? - Yes sorry, it's setcookie of course : the web page to php.net I gave in my first post is the good one - Very good the "shift-f2 then cookie list" : I did't know it and it shows that my bug is a true bug ! - Yes I use an add-on session : http://sessionmanager.mozdev.org bug 530594 looks like my bug I have the same bug with opera 38 and google chrome 51 and I also used a restored session with these browsers I don't have the pb with Safari 5.1.7 and IE 11 but I don't use restored session with these browsers I see that the bug 530594 was opened in 2009 = 7 years ago ! See you in 2023 ! Lol - I have create a special profil on my website to see the bug : https://montdm.shost.ca/ Member = testcookie password = testcookie Then go to the "Admin" menu member and passwords are the same (testcookie) the cookie "monTdMAdmin" doesn't disappeared when you close the browser Firefox
Flags: needinfo?(montdm)
Comment 6•8 years ago
|
||
(In reply to Mahab from comment #5) > - Yes I use an add-on session : http://sessionmanager.mozdev.org > bug 530594 looks like my bug > I have the same bug with opera 38 and google chrome 51 and I also used a > restored session with these browsers Right. Duping there.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•