Closed Bug 1715992 Opened 3 years ago Closed 3 years ago

"restore previous session" reuses a session cookie even after closing browser

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 530594

People

(Reporter: wr47, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

Log into a secure session on remote browser.
Close browser and all windows.
Reopen browser and click on Restore Previous Session

Actual results:

The browse reuses a session cookie even though the browser was closed and strolls in to the remote session without re-asking for authentication

Expected results:

Do not know when this changed, but previous versions of firefox correctly did not reuse session cookie.

Group: firefox-core-security → core-security
Component: Untriaged → Networking: Cookies
Product: Firefox → Core
Summary: Major security issue? "restore previous session" reuses a session cookie even after closing browser → "restore previous session" reuses a session cookie even after closing browser

I'm not sure what the right component for this bug is, but I'll put it here for now.

Group: core-security → network-core-security

Thanks for reporting this.
Could you try to use mozregression to find out the problem?
I also have some questions. What does remote browser mean? Does this only happen on some particular website?

Flags: needinfo?(wr47)

This is possibly more related to Session Restore, which has had some rewrites for fission.

Do not know when this changed, but previous versions of firefox correctly did not reuse session cookie.

It depends on what your preferences are set to. We've long argued over the fact that by default it certainly does restore session cookies. Product leaders believe that's the behavior most users want and expect. See bug 530594 and its many dupes and predecessors.

If your default cookie lifetime is set to session only (network.cookie.lifetimePolicy set to 2) or you're in "Permanent Private Browsing" (browser.privatebrowsing.autostart set to true) then session cookies shouldn't be saved (bug 529899). Do you have either of those settings? if you open preferences to the privacy tab (about:preferences#privacy) and scroll down to the "Cookies and Site Data" section then the "Delete cookies and site data when Nightly is closed" checkbox will be checked.

It's possible we've regressed this, although we should have tests now. We've regressed at least once before when cookie storage details changed and the session restore code wasn't updated to match (bug 1359344)

(In reply to Kershaw Chang [:kershaw] from comment #4)

Thanks for reporting this.
Could you try to use mozregression to find out the problem?
I also have some questions. What does remote browser mean? Does this only happen on some particular website?

Sorry, typo: I meant "remote server" instead of remote browser.

This happens on every website including this site. For example:
I have a window with 2 tabs GMX-Webmail(https:logged in) and bugzilla.mozilla.org (https:logged in).
I close all windows - Firefox no longer running.

I use History -> "restore previous session"

The result is 2 open tabs in which I am logged in without being asked to re-authenticate.

This funks me. I do not know when this behavior changed (I work exclusively in Firefox), but I am very sure that several
months ago the behaviour was different - as in Chrome, where after closing all windows the browser does not reuse a 'session'
cookie which forces the remote server to require authentiation again. Re-authentication is the behaviour that I would expect.

Unfortunately, I'm very busy this week, but I will try to install mozregression in the next few days and find out when that changed.

Flags: needinfo?(wr47)

Putting the reporter's needinfo back to indicate the "pending" state here. Would still like to know about your cookie lifetime policy and if that changed recently, because this sounds like the default behavior described in the "eternalsession" bug 530594

Flags: needinfo?(wr47)

Sorry, I was unaware that this behavior is apparently the default now in firefox.
I consider this a mistake and a serious security risk.

As I see it, this is just plain not a prerogative of the user. It very seriously exposes the remote website to unauthorised access.

Google's chrome DOES NOT reuse session cookies after closing the browser and that should be the appropriate behavior.
A session cookie should end when closing the browser. Anything else makes no sense to me.

Flags: needinfo?(wr47)

I do not know when this behavior changed

...

apparently the default now in firefox.

This has been the default since the session restore feature started and has never changed. See the arguments in bug 443354 and bug 345345. Those of us who consider it a mistake have not prevailed against the people who want the browser to Just Work.

Group: network-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.