Closed Bug 1468587 Opened 7 years ago Closed 7 years ago

Session cookie becomes persistent when Firefox is set to preserve tab history

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
60 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 530594

People

(Reporter: szesiong, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Steps to reproduce: I've created a simple webapp in AWS Lambda that creates a session cookie called 'TEST_SESSION_COOKIE' when web browser does not send session cookie with that key to it. This webapp also produces all the HTTP request headers sent by the web browser as output of the response. https://t3xobl3f6i.execute-api.eu-west-1.amazonaws.com/test Steps to reproduce: 1. Open Firefox browser, go to Preferences/Startup and change 'When Firefox starts' to 'Show your windows and tabs from last time'. 2. Load https://t3xobl3f6i.execute-api.eu-west-1.amazonaws.com/test 3. First you will observe the headers do not contain Cookie header and TEST_SESSION_COOKIE key. 4. Open 'Web Developer/Network' to start Network debugger. 5. Reload the page and you will see a HTTP request for /test endpoint happened. 6. When you click on it, you can see the Headers under Response Headers section shows the server side returns 'set-cookie: TEST_SESSION_COOKIE=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx; Secure; HttpOnly; Path=/'' for web browser to create a session cookie as there is not expires/max-age parameter specified. 7. Close all the tabs and Firefox browser entirely. 8. Open Firefox again and go to https://t3xobl3f6i.execute-api.eu-west-1.amazonaws.com/test 9. You will see the output for 'Cookie: TEST_SESSION_COOKIE=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with the same UUID value is still there even if you reload. 10. The webapp only generates a new random UUID if the web browser didn't not submit the session cookie to the server side. --- Source code for the session cookie webapp test (Python) --- import uuid from flask import * app = Flask(__name__) @app.route('/', methods=['GET']) def main(): headers = str(request.headers).strip() web_display = '<pre>%s</pre>' % headers if 'TEST_SESSION_COOKIE' in request.cookies: return web_display, 200 else: response = make_response(web_display, 200) response.set_cookie( key='TEST_SESSION_COOKIE', value=str(uuid.uuid4()), max_age=None, secure=True, httponly=True ) return response --- end of file --- Actual results: Session cookie becomes persistent even when Firefox is restarted when settings is changed to 'Show your windows and tabs from last time'. Expected results: Session cookie should be always cleared when web browser process is restarted. This issue is not observed in web browsers like Apple Safari and Microsoft Edge.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
I'm amazed by how Mozilla team handles reported issue by referencing to a 9 years old issue as duplicate and still unresolved.
You need to log in before you can comment on or make changes to this bug.