Closed Bug 296644 Opened 20 years ago Closed 9 months ago

Sanitize doesn't clear per-session passwords

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: otto, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Patch to sanitize.js
958 bytes, patch
mconnor
: review-
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050515 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Macitosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050530 Firefox/1.0+

Using Sanitize doesn't clear passwords that were prompted with
SAVE_PASSWORD_FOR_SESSION

Reproducible: Always

Steps to Reproduce:
1. Go to some URL that requires authentication. The URL for this bug is one with
user "testing" and password "123"
http://dent.student.umd.edu/~atrus/auth_test/
2. Select Tools>Sanitize Firefox/DeerPark
3. Visit the URL again

Actual Results:  
Accessed the resource without entering the password

Expected Results:  
Prompted the user for a password
Digging deeper ... It appears that this is cached at the HTTPChannel level. The
password manager is only used for filling in the prompts, when they appear.
There's an nsHttpAuthCache object used by HTTP channels and simple username and
password members for FTP connection threads. If that is correct then it will be
difficult to hunt them all down and reset them, yes?
This is a small patch that uses nsIHttpAuthManager.clearAll to clear the cached
auth info. It's tied to "clear passwords" because it's unlikely that a user
would want to differentiate between cached http auth and passwords stored via
the password manager.
Version: unspecified → Trunk
Comment on attachment 187327 [details] [diff] [review]
Patch to sanitize.js

Ok, this is a good start, but we need a second avenue to clear session data as
well, without having to clear passwords, but I think that's covered under the
SSL session bug.
Attachment #187327 - Flags: review+
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 187327 [details] [diff] [review]
Patch to sanitize.js

this doesn't do enough, actually, since SSL sessions will still be intact.
Attachment #187327 - Flags: review+ → review-
To clear cached shared secrets ...
Hrm, if I understand things correctly, we need to call SSL_ClearSessionCache, or
replace the cache.
nsCRLManager::ImportCrl
nsCRLManager::DeleteCrl
nsNSSComponent::ShutdownNSS

Shutting down NSS and bringing it back up looks like the best way to go about
this. We can trigger this by broadcasting a profile change (perhaps change
profile from and to the same one?)[1]

There's also the issue of ssl/tls certs. nsICertTree seems to cover that.[2]

FTP saves passwords internally, so I'm not sure how to handle that.

[1]
http://lxr.mozilla.org/seamonkey/source/security/manager/ssl/src/nsNSSComponent.cpp#1767
[2]
http://lxr.mozilla.org/seamonkey/source/security/manager/pki/resources/content/certManager.js#76
I found bug 296644 since the partial fix is included in recent 1.5 releases. That's (partially) resolved, so I think comment 4 is addressed. The "Authenticated Sessions" label seems to be a better fit than my current patch's passwords.

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

The severity field is not set for this bug.
:jhirsch, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jhirsch)

Closing this long-abandoned bug

Status: NEW → RESOLVED
Closed: 9 months ago
Flags: needinfo?(jhirsch)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: