Firefox badly handle cookie without expire tag - possible security violation




15 years ago
11 years ago


(Reporter: vova, Unassigned)


Firefox Tracking Flags

(Not tracked)




15 years ago
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040823 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040823 Firefox/0.9.3

Firefo badly handle cookie without Expire attribute but there is MaxAge attrigute
Such cookie will not deleted if browser closed but should.

example (from HTTP GET):
Set-Cookie: Ticket=408879998;Path=/;Max-Age=86400


If i found cookie in properti, I found:
Expires:   08.10.2004 18:10:10   (curtime + maxage)

And after browser (all windows) closed and started again - cookie
still exists, so intruder can use other's login before browser close to access
secured data.

MaxAge in cooke is used to expire cookie after too long inactivity, even if
browser still opened.

Reproducible: Always
Steps to Reproduce:
1. make page eith sescookie as described abowe
2. open this page
3. close browser
4. open browser again
5. find cookie still in list of cookies

Actual Results:  
cookie still exists

Expected Results:  
such cookie should not be stored on disk

This problen can lead to security violations.

Other browsers has no such problem (tried Opera, MSIE)

Comment 1

14 years ago
I have been able to reproduce this bug as well. If you open a site that uses
session cookies and browse through the site creating data in the session, then
close the browser/tab and open a new instance of the Firefox browser, the
session still seems to be valid from the new browser!

This means that the session cookie was not expired after the original
tab/browser was closed. I have been able to reproduce this on a consistent basis.


Akshat Bhargava

Comment 2

14 years ago
I am experiencing something similar. As Coldfusion programmer, I find that
cookies are not expiring on browser close - that is, when a specific expiration
date is not given - IF a second instance or tab of firefox is open. So - cookies
expire on browser close if one instance is open, do not if more than one is
open. I have confirmed this frequently by checking CFID, CFTOKEN and other
cookies I have set programatically.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716
Assignee: bross2 → nobody
Component: General → Networking: Cookies
Product: Firefox → Core
QA Contact: general → networking.cookies

Comment 3

11 years ago
re comment 0, the max-age attribute does not relate to session cookies; so, it's valid that the client retain it until the expiration time you note, even cross-session. if it's keeping it longer than that, then it's a valid bug.

re comment 2, by "instance or tab" do you mean another window in the same process? if so, that's bug 117222, not this one.

comment 1 seems to be valid, however we'd need more details to investigate further. can you give exact steps to reproduce, including sites that exhibit the problem, the browser version(s) showing the bug, etc?

marking this WFM for now, please reopen if you can provide further detail.
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.