User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040823 Firefox/0.9.3 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040823 Firefox/0.9.3 Firefo badly handle cookie without Expire attribute but there is MaxAge attrigute Such cookie will not deleted if browser closed but should. example (from HTTP GET): ... Set-Cookie: Ticket=408879998;Path=/;Max-Age=86400 ... If i found cookie in properti, I found: Expires: 08.10.2004 18:10:10 (curtime + maxage) And after browser (all windows) closed and started again - cookie still exists, so intruder can use other's login before browser close to access secured data. MaxAge in cooke is used to expire cookie after too long inactivity, even if browser still opened. Reproducible: Always Steps to Reproduce: 1. make page eith sescookie as described abowe 2. open this page 3. close browser 4. open browser again 5. find cookie still in list of cookies Actual Results: cookie still exists Expected Results: such cookie should not be stored on disk This problen can lead to security violations. Other browsers has no such problem (tried Opera, MSIE)
I have been able to reproduce this bug as well. If you open a site that uses session cookies and browse through the site creating data in the session, then close the browser/tab and open a new instance of the Firefox browser, the session still seems to be valid from the new browser! This means that the session cookie was not expired after the original tab/browser was closed. I have been able to reproduce this on a consistent basis. Thanks, Akshat Bhargava
I am experiencing something similar. As Coldfusion programmer, I find that cookies are not expiring on browser close - that is, when a specific expiration date is not given - IF a second instance or tab of firefox is open. So - cookies expire on browser close if one instance is open, do not if more than one is open. I have confirmed this frequently by checking CFID, CFTOKEN and other cookies I have set programatically. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Component: General → Networking: Cookies
Product: Firefox → Core
QA Contact: general → networking.cookies
re comment 0, the max-age attribute does not relate to session cookies; so, it's valid that the client retain it until the expiration time you note, even cross-session. if it's keeping it longer than that, then it's a valid bug. re comment 2, by "instance or tab" do you mean another window in the same process? if so, that's bug 117222, not this one. comment 1 seems to be valid, however we'd need more details to investigate further. can you give exact steps to reproduce, including sites that exhibit the problem, the browser version(s) showing the bug, etc? marking this WFM for now, please reopen if you can provide further detail.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.