292642 - HTTP auth credentials are cached as long as any browser window remains active

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[James Landis]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

When closing a browser window containing a site that requires HTTP auth
credentials, those credentials are cached as long as there are any other browser
windows open. HTTP auth credentials should be expired when the last window with
active pages on the domain is closed.

Reproducible: Always

Steps to Reproduce:
1. Open multiple FireFox windows/tabs.
2. In one of these windows/tabs, log into a Web site requiring HTTP basic auth.
3. Close the window/tab containing the site requiring HTTP auth.
4. Return to the site requiring HTTP auth in any existing or new window/tab.

Actual Results:  
Authentication credentials are cached, and the users is automatically logged
into the site.

Expected Results:  
Authentication credentials should be expired, requiring the user to reenter
them. Alternately, a user could choose to save the credentials, but this should
require an explicit confirmation. Default behavior should be to expire the
credentials when the last window is closed.

Comment 1

[Matthias Versen [:Matti]]

basic Authentification is per session as requested by the HTTP RFC. (=it's by
design) 
IE also handles it in this way with the small difference that you get multible
sessions unless you open new windows with ctrl-n while Mozilla/Firefox always is
using one single session.

for a manual logout see bug 55181

marking invalid (it's by design) but CC darin and dveditz to confirm that

Comment 2

[Darin Fisher]

Yes, this behavior is by design.