Closed Bug 1715751 Opened 3 years ago Closed 3 years ago

Logins not cleared after a hard power restart with "Delete cookies and site data when Firefox is closed"

Categories

(Firefox :: Session Restore, enhancement)

Product:
Firefox
Component:
Session Restore
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 345345

People

(Reporter: mauro.casonato2, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

  1. Set up Firefox with the option "Restore previous session" enabled.
  2. Sign in to several websites.
  3. HARD POWER OFF the system.
  4. Restart the system
  5. Restart Firefox; note that all previous logins are still available. This is very dangerous because this is exactly what happen when a PC is stolen.
    The problem does not occur if Firefox is restarted gracefully.
    Firefox 89.0 (64-bit)
    Ubuntu 20.04.2 LTS
    PC Lenovo ThinkPad P17 Gen 1
Flags: sec-bounty?
See Also: → 1715992

Do you have additional settings to clear cookies on exit? Or is this only on certain websites? Generally logins persist across restarts.

Flags: needinfo?(mauro.casonato2)

I'm thinking of the "Delete cookies and site data when Firefox is closed" option.

Group: firefox-core-security → core-security
Component: Security → Networking: Cookies
Product: Firefox → Core

Yes correct, the "Delete cookies and site data when Firefox is closed" option is enabled. However from a security point of view, this should be a default.

Thanks for the clarification. I'm not an expert on this code, but I would expect that this is the intended behavior given that Firefox was never closed. Handling this situation better would probably require something like letting the cookies get saved to disk, which would be slightly different, so this is kind of like a feature request.

Flags: needinfo?(mauro.casonato2)
Summary: Logins not cleared after a hard power restart → Logins not cleared after a hard power restart with "Delete cookies and site data when Firefox is closed"
Group: core-security → network-core-security

Since Firefox is not closed gracefully, there is not much we can do at shutdown phase.
However, maybe we can try to clear cookies at the beginning of restoring sessions when Delete cookies and site data when Firefox is closed is enabled.

I'd like to switch the component to Session Restore and see what they think about this.

Group: network-core-security → firefox-core-security
Type: task → enhancement
Component: Networking: Cookies → Session Restore
Product: Core → Firefox

In fact, restoring your session to a working state after a crash was an explicit goal of the sessionrestore feature, and "to a working state" requires keeping the cookies so that you stay logged in.

"when FIrefox is closed" means when it gracefully exits and gets to do its shutdown routines. A crash is not "closing" the browser, it's an abrupt termination.

However, maybe we can try to clear cookies at the beginning of restoring sessions when Delete cookies and site data when Firefox is closed is enabled.

I don't think we should. If you don't want session restore after a crash then turn off session restore. There's no point in having a broken session restore by default and it can already be disabled. The current behavior was an intentional choice years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=345345 If we're going to change this behavior it will require design discussion and even advocacy, which is not conducted in a bug but rather in our forums, chat, and mailing lists.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.