Closed Bug 1813375 Opened 3 years ago Closed 3 years ago

Session cookies are not removed on session end; session restore resurrects them

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 530594

People

(Reporter: andreas, Unassigned, NeedInfo)

References

Details

(Keywords: privacy)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

  • Logon to a website that uses session cookies.
  • close Firefox, wait for background processes to finish
  • open Firefox, Use History/Restore last session

Reproduced on Linux and Windows:
"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0"

Actual results:

The former session tabs were restored including active session cookies allowing to work with the website's user session without the need to logon again.

As I could reproduce this for example with my online banking I would consider this bug as security related.

There was a former discussion about this in Bug 691973 as as subtopic, but as I think there is a security issue especially with session cookies I file this dedicated bug report.

Expected results:

The session cookies should have been cleared during shutdown of Firefox.

The session tab should have been restored with an invalidated user session.

open Firefox, Use History/Restore last session

The folks behind session restore adamantly believe that they aren't "restoring a session" if you re-open pages in logged-out state. If the session-defining session cookies are deleted you will likely get redirected to a home/login page, and even if not you won't be able to carry on work on any page requiring login. This has been debated for years (see bug 530594 "eternalsession").

That's arguable for crash recovery, but bug 529899 was supposed to fix the specific case you're reporting (as opposed to post-crash recovery or a restart as part of an auto-update): in step two you explicitly quit Firefox. We need to figure out why that regressed, or if there's some issue unique to your situation (seems unlikely).

Component: Untriaged → Session Restore
Flags: needinfo?(dao+bmo)
See Also: → eternalsession, 529899
Flags: needinfo?(dveditz)
Keywords: privacy

I mis-remembered bug 529899: that only fixed the narrow case of when someone has said Firefox should clear all cookies on exit. This bug is exactly what the "eternalsessions" bug is about.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Duplicate of bug: eternalsession
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
Summary: Session cookies not removed on session end → Session cookies are not removed on session end; session restore resurrects them
You need to log in before you can comment on or make changes to this bug.