open a new Private Window from a Private Window and you have Cookies from the first one

UNCONFIRMED
Unassigned

Status

()

defect
UNCONFIRMED
4 years ago
6 months ago

People

(Reporter: vasilev, Unassigned)

Tracking

38 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150806103657

Steps to reproduce:

1. Opened a new private window and logged into a site
2. opened a new private window from the already opened private window and accessed the same site. I was not asked for user and password but was automatically logged in.


Actual results:

the new private window contained sessions, cookies, login information about me


Expected results:

new private windows should not keep any information about me (logins, cookies, sessions, etc.)
Reporter

Comment 1

4 years ago
Actually this one is reproducible with any website using basic auth with authorization header.
Yes, we only have a single private session. For some uses this is actually what it needed to make sites work, and for some people it's a bit of a surprise. But in any case it's a known design aspect so it's best not handled as a "bug".

Our messaging when opening a New Private Window tends to imply the behavior this bug reporter expects. We need to make the actual behavior clearer to people.
Group: firefox-core-security
Component: Untriaged → Private Browsing

Comment 3

4 years ago
I experince the same problem, but the second private window shares the sessions and cookies with the first private window no matter from which window I start the new private window.

Daniel, it's a bug in a sense, that it makes impossible to make a several private sessions. My current idea is to open a new private window for every log-in to prevent tracking, surveillance. But because of this bug, it's not possible at the moment.

If Firefox is really committed to the privacy, as it says on the mozilla.org home page, then the impossibility to create a second private session has to be handled as a serious bug.
You need to log in before you can comment on or make changes to this bug.