Closed Bug 272743 Opened 21 years ago Closed 20 years ago

New browser instances shares the same PHPSESSID data from cookie

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 117222

People

(Reporter: dpo, Assigned: bugzilla)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Opening new instances of firefox uses the same cookie information of the initial instance. This cookie is a session cookie and should be new. This may be a security BUG. Reproducible: Always Steps to Reproduce: 1. create a php file with this code <?php session_start(); echo session_id(); ?> 2. start first instance of firefox 3. start second instance of firefox Actual Results: same session id Expected Results: new session id
Reporter, when you open a new Firefox process (while the first one is still running), it's actually a new window in the first one. There no 2 separate instances. That's why the session cookies seem to be shared. Also note that IE doesn't share session cookies between different windows, when launched by clicking the E-icon (but it still does it when you open a new window). See bug 117222. *** This bug has been marked as a duplicate of 117222 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Moziller, i understand that you all want to make Firefox fast, but maybe you should make clear that clicking the Firefoy icon doesn't open a new instance like explorer do. Many people doesn't know about that and it causes confussion. You should give the community also the choice to open diferent instances of Firefox. It also opens security considerations. If you are working with one application and want to open two browsers as two different users (let say admin and simple user), currently you are not able to do that and this can be badly exploit. Example: 1. you log as user and leave the browser open but hidden, later comes your boss and wants to show you something 2. you open a new firefox browser. 3. he logs in the system, do something and close the browser. 4. Now you can impersonate your boss because you have the cookie. 5. big problem.
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
*** This bug has been marked as a duplicate of 117222 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.