Closed Bug 1914573 Opened 1 year ago Closed 1 year ago

Cookie does not clear upon exiting browser while private browser is also open

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Version:
Firefox 129
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jvaleska112, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0

Steps to reproduce:

I ran a Java web application on normal Firefox, and had a Firefox Private browser open as well. I then closed the normal Firefox window while keeping the Private window open.

Actual results:

I once again opened the normal Firefox browser and typed in the link just to find that the previous session is still continued; instead of going to the Login page the application took me directly to the menu, which it does if the session still exits. Upon inspecting the Developer console, the same JSession cookie is continued from the previous session.

Expected results:

Upon re-visiting the link, the application should have went back to the Login page, as the JSession cookie would be renewed as well. I tried the same in the Microsoft Edge browser and it works as expected; even if a Private browser is open in the background, the JSession cookie would renew itself each time I fully close the browser and open it again.

Group: firefox-core-security
Component: Untriaged → Private Browsing

To clarify the issue, is the JSession cookie session only? If not, have you enabled "Delete cookies and site data when Firefox is closed" option via the about:preferences#privacy page?

Flags: needinfo?(jvaleska112)

Yes, the cookie is session only with the following properties:
Expires / Max-Age:"Session"
HostOnly:true
HttpOnly:true
SameSite:"None"
Secure:true

Also, the "Delete cookies and site data when Firefox is closed" option is not enabled.

Flags: needinfo?(jvaleska112)

The severity field is not set for this bug.
:timhuang, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(tihuang)

This might be unexpected from the user perspective. Especially so since we've been separating private browsing out more recently by adding a separate private browing mode shortcut and showing a separate taskbar icon on Windows.

However this is working "as designed". Session cookies are kept in memory and are persisted until the entire browser closes (the parent process exits). If you close the normal browsing window but keep the private browsing window open the process never exits and the session cookies remain.

A fix for this would be quite complex and would require a lot of refactoring how we manage session cookies. Given that this is not a very severe issue it's a WONTFIX for me.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
Flags: needinfo?(tihuang)
You need to log in before you can comment on or make changes to this bug.