1174709 - When visiting HTTPS sites, you can switch back to HTTP with stored sessions if the tab is closed, then a second tab is launched to revisit the original site (back to http).

Status: RESOLVED INVALID

(Web Compatibility :: Site Reports, defect)

Description

[roe]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150525141253

Steps to reproduce:

a. open two tabs, such as google.com and http://www.united.com in a second tab.
b. login to united.com (switches from http to https)
c. close the united.com tab, leaving only google.com open
d. open a new tab, revisit www.united.com or http://www.united.com. 
e. the session is still live, however it will be back to http and not secure.
f. this will make credit card transactions and demographic information not PCI compliant. 


Actual results:

Websites with stored sessions may change from http to https and back to http if the tab is closed, followed by a new tab being created to visit the site. The user will still be logged in but if there is no forced dns redirection the session is no longer secure.


Expected results:

When opening the tab and re-visiting, the session needs to remain HTTPS or traffic including demographic, login info, credit card info etc will be passed in plain text.

Comment 1

[:Gijs (he/him)]

This is a bug in United's web site. They should ensure the actual session cookies are https-only, and that opening a non-https version of their site while logged in redirects you to https so that you can be logged in. The same thing would happen if you opened a new tab while still logged in on another tab.

Have you contacted united about this issue?

(Don't know if this needs to stay closed for United's sake, leaving that decision to someone else.)

Comment 2

[roe]

I contacted united previously, you are correct I was able to reproduce this in another browser. Take care.