Closed Bug 306766 Opened 19 years ago Closed 9 years ago

SSL sessions remain open when browser windows closed

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.6 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 117222

People

(Reporter: mikey, Unassigned)

Details

(Whiteboard: DUPEME) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Problem only occurs with Outlook Web Access. It is repeatable with different OWA
servers, different client PCs. Only observed since "Tabbed browsing" introduced,
but with tabs switched off. If a window logged in to OWA is closed and any other
Firefox window exists, a fresh window pointed at the OWA host will be fully
logged in and display the private email. Surely this should not occur if a tab
is closed, either? Deleting cookies has no effect.

Reproducible: Always

Steps to Reproduce:
1. Log into OWA SSL session. Start another Firefox window. 
2. Close OWA window. Clear cache and delete cookies.
3. Open new window towards OWA host.

Actual Results:  
You are already logged in as the previous user!

Expected Results:  
The log-in window should have appeared.
This might be fixed with the new "Clear Private Data" option called
"Authenticated sessions". Leaving an SSL session open until firefox.exe is
killed is done by design, I think.
Then that design needs urgent review.
Many banks advise "closing the browser window" as well as logging out (with IE
this can be done automatically) and how is the user to understand that this
means ALL browser windows?
Also, in Internet cafes, one browser window is sometimes used for overall
control and cannot be closed. The next user could get logged straight into the
previous user's account. However, I can only replicate this with OWA servers;
most SSL sites do log off on window or tab closure.
I agree with Mike.  I go to New England Tech and when accessing email, you log in from the Students Home Page at students.neit.edu.  When you click the email link, it automatically launches a new browswer window.  So, when you click logoff and then click "close this window", the students home page is still open.  Clicking the email link again opens Outlook Web Access fully authenticated.  Even if you had left the students home page and visited other non-NEIT sites, as long as that original Firefox session hasn't been closed out, you can return to the Students home page and launch OWA without having to login again.  This problem still exists in the version I just installed:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
(In reply to comment #2)
> Then that design needs urgent review.
> Many banks advise "closing the browser window" as well as logging out (with IE
> this can be done automatically) and how is the user to understand that this
> means ALL browser windows?
> Also, in Internet cafes, one browser window is sometimes used for overall
> control and cannot be closed. The next user could get logged straight into the
> previous user's account. However, I can only replicate this with OWA servers;
> most SSL sites do log off on window or tab closure.
Whiteboard: DUPEME
This is still "wrong" in Firefox v3.5
I cannot see why it is good design to keep SSL sessions open when the window (or even tab) operating it is closed.

It does not just apply to OWA but any SSL session.

If any other Firefox window happens to be open, the SSL session is not closed, but available in the other window.
Version: unspecified → 3.5 Branch
This is still "wrong" in Firefox 3.6

Will someone please CONFIRM this or, better,take it up for fixing?

Or can someone explain the design "advisability" of applying SSL sessions accross all tabs and windows?

Another SERIOUS security risk is that, if a secure window is left open in, say, an open-office environment, while the user is briefly absent, another person can make changes to the user's data in a separate tab or window without any evidence of it being left in the main window.
Version: 3.5 Branch → 3.6 Branch
I believe the confusion is that FF (and every other browser, AFAIK) regards the http session in the same scope as the browser session, and users may expect the http session to be terminated upon closing a tab or window.  

This really has nothing to do with SSL, just with session scope and lifetime.  The same behavior could be observed on http sessions on non-ssl web sites.

I would not expect this behavior to change, as doing so would break a lot of functionality.  Users should log out of web applications to end their http session on the server, or close the browser completely to terminate their browser session and all corresponding http session.
duplicate of bug 117222 ?
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.