Closed Bug 304929 Opened 19 years ago Closed 19 years ago

Password manager fills in username and password without asking for the master password

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 222408

People

(Reporter: jchahade, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

When I visit a web page requir a password and the password manager remember it,
it does work fine, but when I exit the site and keep the browser open and
continue surfing  then come back to the same page or click the back button the
browser fill in the username and password autmaticlly without asking for master
password. in another word if I don't completly exit the browser and reload agin
I will be able to access all the sites the password manager saves the username
and password for me so if another person came after me using the pc he/she can
go on my personal sites and check all my account without any prob. 

Reproducible: Always
short answer: this is the way it's designed to work.  You only need to provide
the master password once per session.  If you have security concerns, lock your
computer, exit out of your programs, or log out.  See bug 266778.

longer answer: there is back-end support for timing out the master password
(either requiring it every time a password is retrieved, or after x minutes). 
See bug 218694 for why there is no UI.  The prefs are
signon.expireMasterPassword, security.password_lifetime, and
security.ask_for_password.  See bug 222408 for a request to add UI for this,
though it seems unlikely it will be implemented in light of the other bugs.
Summary: Password manager fillin the username and passsowrd without asking for the master password → Password manager fills in username and password without asking for the master password
(In reply to comment #1)
> short answer: this is the way it's designed to work.  You only need to provide
> the master password once per session.  If you have security concerns, lock your
> computer, exit out of your programs, or log out.  See bug 266778.
> 
> longer answer: there is back-end support for timing out the master password
> (either requiring it every time a password is retrieved, or after x minutes). 
> See bug 218694 for why there is no UI.  The prefs are
> signon.expireMasterPassword, security.password_lifetime, and
> security.ask_for_password.  See bug 222408 for a request to add UI for this,
> though it seems unlikely it will be implemented in light of the other bugs.

That would make this bug either INVA or WONT , no ?
Not exactly sure what to do with this bug, but treating it as a duplicate of the
"add timeout UI" bug probably makes the most sense.

*** This bug has been marked as a duplicate of 222408 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.