Open Bug 1197159 Opened 7 years ago Updated 2 months ago

open a new Private Window from a Private Window and you have Cookies from the first one


(Firefox :: Private Browsing, defect)

38 Branch





(Reporter: vasilev, Unassigned)



User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150806103657

Steps to reproduce:

1. Opened a new private window and logged into a site
2. opened a new private window from the already opened private window and accessed the same site. I was not asked for user and password but was automatically logged in.

Actual results:

the new private window contained sessions, cookies, login information about me

Expected results:

new private windows should not keep any information about me (logins, cookies, sessions, etc.)
Actually this one is reproducible with any website using basic auth with authorization header.
Yes, we only have a single private session. For some uses this is actually what it needed to make sites work, and for some people it's a bit of a surprise. But in any case it's a known design aspect so it's best not handled as a "bug".

Our messaging when opening a New Private Window tends to imply the behavior this bug reporter expects. We need to make the actual behavior clearer to people.
Group: firefox-core-security
Component: Untriaged → Private Browsing
I experince the same problem, but the second private window shares the sessions and cookies with the first private window no matter from which window I start the new private window.

Daniel, it's a bug in a sense, that it makes impossible to make a several private sessions. My current idea is to open a new private window for every log-in to prevent tracking, surveillance. But because of this bug, it's not possible at the moment.

If Firefox is really committed to the privacy, as it says on the home page, then the impossibility to create a second private session has to be handled as a serious bug.

After four years, there is no warning that private browsing is not as private as users can expect. Furthermore, the current behavior is unpractical for such circumstances as logging into the same service (e.g. Twitter) under multiple users simultaneously. This type of use is probably impossible at all.

Google Chome/Chromium behave similarly in the "incognito" mode but also supports temporary profiles intended for the purpose noted above. Firefox has no such mode. Containers are unsuitable for this purpose.

Dupe of Bug 1551280

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.