Session cookie is not removed after closing the tab and exiting the browser
Categories
(Firefox :: Session Restore, defect, P3)
Tracking
()
People
(Reporter: egil, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression)
Attachments
(1 file)
|
671 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20171024165158 Steps to reproduce: 1. Open attached session-cookie.html or http://f.enux.pl/_tests/session-cookie.html 2. Close tab with session-cookie.html. 3. Exit Firefox (CTRL+SHIFT+Q). 4. Open new tab and open session-cookie.html. Actual results: Start cookies: test_session_cookie=123 sessionStorage item: null Notice how the session cookie is preserved but an item in `sessionStorage` is not. Also note that the `sessionStorage` is removed even when the tab is closed (without closing Firefox). Expected results: Start cookies: sessionStorage item: null I can understand that cookie would be preserved if I restarted the Firefox. But I closed the tab and then closed Firefox. I haven't restored the tab! I just visited the same URL.
|
Reporter | |
Comment 1•6 years ago
|
||
PS: Contrary to the user-agent I used FF dev 61 for testing:
"buildID": "20180607135512",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0",|
|
Reporter | |
Comment 2•6 years ago
|
||
Related with (but different case): Bug 443354 - "Save and Quit" tabs should not save session cookies of to-be-restored tabs
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID:20180614100146 I could not reproduce the issue on Windows 7 x64 using the latest Nightly 62.0a1 and Firefox Beta 61.0b13 following the STR from description. But I managed to reproduce it using the following STR: 1.Launch Firefox 2.Open http://f.enux.pl/_tests/session-cookie.html in a new tab 3.Close tab with session-cookie.html 4.Exit Firefox (CTRL+SHIFT+Q) 5.Reopen Firefox 6.Click "Restore Previous Session" 7.Open http://f.enux.pl/_tests/session-cookie.html in a new tab [Actual result]: Start cookies: test_session_cookie=123 sessionStorage item: null I am assigning a component to this issue in order to involve the development team and get an opinion on this.
|
|
Reporter | |
Comment 4•6 years ago
|
||
Original steps still work for me on Nightly: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 1. Launch Firefox(*). 2. Open attached session-cookie.html or http://f.enux.pl/_tests/session-cookie.html 3. Close tab with session-cookie.html. 4. Exit Firefox (CTRL+SHIFT+Q). 5. Reopen Firefox. 6. Open http://f.enux.pl/_tests/session-cookie.html in a new tab Movie: https://www.youtube.com/upload (*) Some notes on my FF Nightly installation: * I'm using a fresh profile for Nightly (created just before doing the test). * Launching with params: `-P Nightly -no-remote` (if that is important). * I have some pinned tabs, but form OTHER domains (if that is important).
|
|
Reporter | |
Comment 5•6 years ago
|
||
Sorry :-). Link to the movie: https://youtu.be/-lS3-Z0j6Fg
|
|
Reporter | |
Comment 6•6 years ago
|
||
I've re-tested and yes -- pinned tabs seem to trigger session restore automatically. Even if you have a blank page (speed dial) pinned.
From the linked issue (https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c29):
At the very least can we get rid of the sessions saved for sites with no open tabs?
We already do that. If that's not what you see, please file a new bug.
As far as I can tell, Firefox has stopped "doing that", this is the "new bug", and it hasn't been updated in 3 years.
It's a security issue. Many sites tell you "close this tab then quit the browser" to ensure that you're logged out, which seems like reasonable advice, but Firefox doesn't actually do the thing that the user-agent is supposed to do -- the thing that the above quote says it does.
Dale, can we please get a higher priority / security-relevant flag on this, so it actually gets some attention from the team?
As I commented on bug 530594 , I was able to isolate the issue to Firefox 55, to a change made between the Nightly builds of 2017-04-07 and 08. (So, please also flag the issue as a regression, because this used to work correctly.)
|
||
Comment 10•3 years ago
|
||
Hey Johann, do you think this needs security triage / flags?
|
||
Comment 11•3 years ago
|
||
(In reply to James B from comment #9)
As I commented on bug 530594 , I was able to isolate the issue to Firefox 55, to a change made between the Nightly builds of 2017-04-07 and 08. (So, please also flag the issue as a regression, because this used to work correctly.)
Thanks, James. The regression range is a big help!
Here is the changelog between Nightly builds 2017-04-07 and 2017-04-08:
In this changelog, bug 912717 ("Don't let SessionCookie collection jank the chrome process") looks like it me related.
|
||
Comment 12•3 years ago
|
||
I'm reading down from the top of that bug and almost immediately I see suggestions like "recursively walking history entries is expensive, we should cache it"... it's like being in the audience at the beginning of a horror film -- don't go in there, cache invalidation is One Of The Hard Problems!
At the end, they link to bug 1354523, which has had no activity for 4 years. "We should write some tests, I'll get to it Soon". Man, I've said that sentence a few too many times. Anyway, I voted for it, and I'll leave a comment over there pointing back to here.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•