Closed
Bug 129819
Opened 22 years ago
Closed 22 years ago
QuickLaunch won't release session cookies
Categories
(Core Graveyard :: QuickLaunch (AKA turbo mode), defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: fmouse-mozilla, Assigned: morse)
References
Details
(Whiteboard: [adt1])
Attachments
(1 file)
|
2.81 KB,
patch
|
samir_bugzilla
:
review+
darin.moz
:
superreview+
jesup
:
approval+
|
Details | Diff | Splinter Review |
A cookie set without an "expires" attribute should remain in memory only and be expunged when all open browser sessions are closed. QuickLaunch interferes with this. If all browser windows are closed, apparently QuickLaunch retains the cookie in memory so that subsequent browser sessions recall this cookie as if it were a persistent cookie on disk. This creates a major problem with session cookies since a session can't be truly closed without killing QuickLaunch. From Netscape's Cookie Spec, "expires is an optional attribute. If not specified, the cookie will expire when the user's session ends."
|
||
Comment 2•22 years ago
|
||
*** Bug 134619 has been marked as a duplicate of this bug. ***
|
|
||
Comment 3•22 years ago
|
||
*** Bug 125568 has been marked as a duplicate of this bug. ***
|
|
||
Comment 4•22 years ago
|
||
confirming and CC morse@netscape.com
Status: UNCONFIRMED → NEW
Ever confirmed: true
Nominating and re-assigning to Steve.
Assignee: law → morse
Keywords: nsbeta1
|
||
Comment 6•22 years ago
|
||
Does this cause privacy violations where the second distinct user of the browser is able to get at the first user's cookies or the value of the first user's session cookies in an implicit fashion?
|
||
Comment 7•22 years ago
|
||
The cookie should be delete when the browser that use that cookie is closed. If you have aditional browsers, but in direffent sites and you close the browser that use the cookie, the cookis should also be deleted and don't wait until all browser are closed. This is how it works in IE6, I don't if it is the correct way or just a "feature" of IE, but it works nice.
|
Reporter | |
Comment 8•22 years ago
|
||
Session cookies persist for the duration of a browser instance and are often used for authenticated logins. If one closes all running browser instances one has a reasonable expectation that in-memory session cookies will go away, however if QuickLaunch is running they don't. If I were to walk away from my computer after closing down a browser session on an authenticated site (as well as all other visible browser instances), someone else could come to my computer, open up a new browser window and use my still valid session cookies to get immediate access to the authenticated site without knowing my password. It's a major security problem!
|
|
||
Comment 9•22 years ago
|
||
Nav triage team: nsbeta1+/adt2
|
Assignee | |
Comment 10•22 years ago
|
||
|
|
||
Comment 11•22 years ago
|
||
Comment on attachment 77945 [details] [diff] [review] release session cookies at quicklaunch exit r=sgehani
Attachment #77945 -
Flags: review+
|
||
Comment 12•22 years ago
|
||
Comment on attachment 77945 [details] [diff] [review] release session cookies at quicklaunch exit sr=darin
Attachment #77945 -
Flags: superreview+
|
||
Comment 14•22 years ago
|
||
adt1.0.0+ (on ADT's behalf) for approval to checkin to 1.0. Pls check this in today.
|
||
Comment 15•22 years ago
|
||
Comment on attachment 77945 [details] [diff] [review] release session cookies at quicklaunch exit a=rjesup@wgate.com
Attachment #77945 -
Flags: approval+
|
|
Assignee | |
Comment 16•22 years ago
|
||
Fix checked in
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•