1606789 - First run page suggests signing in when you already are, and accounts.firefox.com doesn't indicate you already are logged in

Status: RESOLVED MOVED

(Firefox :: Firefox Accounts, defect, P2)

Description

[elias.skogevall]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

1. I reinstalled Firefox because it crashed every time I tried to open it
2. Firefox asked me to have a "fresh start" so I clicked it
3. Firefox asked me to login to Firefox so I clicked it
4. Then I added Lastpass to Firefox because I didn't know the password to my Firefox account
5. Lastpass didin't seem to wok so I closed Firefox
6. And was loged in when I started Firefox again

Expected results:

I expected to not be loged in after restart of Firefox. Maybe this has something to do with the old data after reinstalling Firefox?

Comment 1

[:Gijs (he/him)]

Reinstalling Firefox doesn't delete your profile data, which is stored in your user directory rather than as part of the installation.

The "fresh start" is something we proactively offer from Firefox if we notice you're reinstalling, because we are aware people try it as a way of fixing issues (cf you saying "because it crashed every time I tried to open it). It gets you a fresh, clean profile, but it copies across data that we expect you will want (like your bookmarks etc.). This includes Firefox Account information. So I think this is expected. It's quite possible that on the first run of this new-profile-but-with-all-your-old-data, we also open a page that suggests you sign in with a Firefox Account (because we probably do that whenever you've just installed Firefox), which we probably shouldn't do in this case. Mark, do you know more about what's going on here?

Either way this isn't an exploitable security bug that needs to stay hidden.

Comment 2

[Mark Hammond [:markh] [:mhammond]]

Yes, this will be exactly as described by Gijs:

• We end up doing a profile reset, which copies your Firefox Account info across.
• However (1), the first-start page currently doesn't check if you are signed in to an account, so still asks you to sign in to sync - even though you already are.
• However (2), when you then land on accounts.firefox.com, it too also doesn't check if you are signed in - it does pre-fill your account name, but asks for your password and tells you to continue to "Sign in to Sync" - even though you are already signed in to sync.

(2) in particular could have relatively bad consequences - you may have forgotten your FxA password, so end up going through a "reset" process, even though you were already signed in. Each of your devices then needs to sign in again - none of which was necessary.

So I think there are 2 bugs here:

1. The first-run/welcome page should check if you are signed in to sync - it's rare that you will be, but the profile reset case is an example of when you will. I guess another example would be if you sign in on that first start, then restore your session on the next start, restoring the welcome page.

2. The FxA signin page should consider telling you that you already are signed in to sync on this device - possibly even offering to allow you to disconnect etc.

CC Ryan Feeley and Ana, plus I'll needinfo Ana for some product perspective and to decide what, if anything, is actionable here.

Comment 3

[Alex Davis [:adavis]]

However (2), when you then land on accounts.firefox.com, it too also doesn't check if you are signed in - it does pre-fill your account name, but asks for your password and tells you to continue to "Sign in to Sync" - even though you are already signed in to sync.

I filed this with the FxA team.
https://jira.mozilla.com/browse/FXA-939

I'll bring this to Jim's attention too.

Comment 4

[Mark Hammond [:markh] [:mhammond]]

There's nothing client-side that's actionable here - the jira issue Alex mentioned (aka https://github.com/mozilla/fxa/issues/3906) is where this needs to happen, so MOVED.