Closed Bug 496306 Opened 15 years ago Closed 14 years ago

Cookies should be encrypted when saved on disk

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 19184

People

(Reporter: eyalsoha+bugzilla, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

On websites that require a log-in, such as gmail, some have a "Remember me" option to save me the effort of logging in each time.  This is done by having a cookie saved on my computer.  For my gmail account and others, stealing my cookies is as good as having my gmail password.

I believe that if a Firefox user enables the Master Password for his password manager, it should also password protect all the cookies.

Reproducible: Always

Steps to Reproduce:
1. Enable the password manager and use a Master Password
2. Log-in to gmail or another site and select "Remember Me"
3. Close Firefox
4. Restart Firefox.  When asked for the master password, click "Cancel"
5. Browse to www.gmail.com
Actual Results:  
Cookies sent to gmail and my inbox is visible without ever entering a password.

Expected Results:  
Cookies can't be decrypted without the master password.  They are not sent to gmail.  gmail shows me a log-in screen.

Software to search through a user's profile directory and extract all the passwords from the password manager alrady exists.  The master password thwarts that software.

Cookies are just as valuable as passwords today and should be protected as well.
part of bug 19184
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.