Authentication Decisions: delete not in effect until cookie is cleared
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
People
(Reporter: david.balazic, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Steps to reproduce:
- create new profile
- start FF with the new profile
- load 2 personal/client certificates into Firefox/Settings...
- visit a web page that uses/requires client certificates
- in the "dialog" select one of the client certificates to use
- open Settings / Certificate manager (in another tab)
- in "Authentication Decisions" delete line for the last decision (should be the only one)
- reload the first tab (or click any link in it)
Actual results:
The old client certificate is used to connect to the web site (confirmed in server logs).
Expected results:
Firefox should ask the user to select one of the two client certificates.
|
Reporter | |
Comment 1•1 year ago
|
||
Additional details:
- after clearing the "Authentication Decisions"
- on the tab with the test web page, open devtoools (F12)
- in Storage click Cookies / URL to display the web page cookies (the test page I used creates a single JSESSIONID cookie)
- right click the cookie and select one of the "Delete" entries to delete it
- refresh page (F5)
Now it asks to select the client certificate.
Hmm... no, wait. I just tried this again and now it does not work. FF keeps using the previously selected certificate and does not ask again.
But sometimes this triggers FF to show the certificate selection. Weird, almost random.
|
||
Comment 2•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 3•1 year ago
|
||
We need to clear the TLS session cache when this happens. I thought there was already a bug for this, but I can't find it right now.
Description
•