Closed
Bug 129819
Opened 23 years ago
Closed 23 years ago
QuickLaunch won't release session cookies
Categories
(Core Graveyard :: QuickLaunch (AKA turbo mode), defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: fmouse-mozilla, Assigned: morse)
References
Details
(Whiteboard: [adt1])
Attachments
(1 file)
2.81 KB,
patch
|
samir_bugzilla
:
review+
darin.moz
:
superreview+
jesup
:
approval+
|
Details | Diff | Splinter Review |
A cookie set without an "expires" attribute should remain in memory only and be
expunged when all open browser sessions are closed. QuickLaunch interferes with
this. If all browser windows are closed, apparently QuickLaunch retains the
cookie in memory so that subsequent browser sessions recall this cookie as if it
were a persistent cookie on disk. This creates a major problem with session
cookies since a session can't be truly closed without killing QuickLaunch.
From Netscape's Cookie Spec, "expires is an optional attribute. If not
specified, the cookie will expire when the user's session ends."
Comment 2•23 years ago
|
||
*** Bug 134619 has been marked as a duplicate of this bug. ***
Comment 3•23 years ago
|
||
*** Bug 125568 has been marked as a duplicate of this bug. ***
Comment 4•23 years ago
|
||
confirming and CC morse@netscape.com
Status: UNCONFIRMED → NEW
Ever confirmed: true
Nominating and re-assigning to Steve.
Assignee: law → morse
Keywords: nsbeta1
Comment 6•23 years ago
|
||
Does this cause privacy violations where the second distinct user of the browser
is able to get at the first user's cookies or the value of the first user's
session cookies in an implicit fashion?
Comment 7•23 years ago
|
||
The cookie should be delete when the browser that use that cookie is closed.
If you have aditional browsers, but in direffent sites and you close the
browser that use the cookie, the cookis should also be deleted and don't
wait until all browser are closed.
This is how it works in IE6, I don't if it is the correct way or
just a "feature" of IE, but it works nice.
Reporter | ||
Comment 8•23 years ago
|
||
Session cookies persist for the duration of a browser instance and are often
used for authenticated logins. If one closes all running browser instances one
has a reasonable expectation that in-memory session cookies will go away,
however if QuickLaunch is running they don't. If I were to walk away from my
computer after closing down a browser session on an authenticated site (as well
as all other visible browser instances), someone else could come to my computer,
open up a new browser window and use my still valid session cookies to get
immediate access to the authenticated site without knowing my password. It's a
major security problem!
Comment 9•23 years ago
|
||
Nav triage team: nsbeta1+/adt2
Assignee | ||
Comment 10•23 years ago
|
||
Comment 11•23 years ago
|
||
Comment on attachment 77945 [details] [diff] [review]
release session cookies at quicklaunch exit
r=sgehani
Attachment #77945 -
Flags: review+
Comment 12•23 years ago
|
||
Comment on attachment 77945 [details] [diff] [review]
release session cookies at quicklaunch exit
sr=darin
Attachment #77945 -
Flags: superreview+
Comment 14•23 years ago
|
||
adt1.0.0+ (on ADT's behalf) for approval to checkin to 1.0. Pls check this in today.
Comment 15•23 years ago
|
||
Comment on attachment 77945 [details] [diff] [review]
release session cookies at quicklaunch exit
a=rjesup@wgate.com
Attachment #77945 -
Flags: approval+
Assignee | ||
Comment 16•23 years ago
|
||
Fix checked in
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•