Closed Bug 367051 Opened 18 years ago Closed 17 years ago

Other persons info seen in form after "session restore"

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
2.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kounapuu, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

I downloaded some software from adobe.com, and prior to viewing the page with the actual download link, Adobe asks you to login with your Adobe ID and confirm your registration information. After I finished downloading, I left the browser to install the software for about 10 minutes (the browser and the Adobe page were still running). Then I rebooted my machine (browser and form page were still open at this point) and when I opened up Firefox again there was a session restore prompt like usual, I clicked Ok/Yes... and now I saw the Adobe registration information page with someone else's information (a very unique looking japanese email address, and other form info). Most likely this was another person registering for the download during the same time.

Reproducible: Always

Steps to Reproduce:
1. Open a new session of Firefox.
2. Visit http://www.adobe.com/devnet/devices and click "Flash Lite 2.1 Player for Symbian (Dec. 4, 2006)". You may have a problem accessing this page because of timeouts. It works like 1 out of 3 times.
3. The next page you should see is an Adobe login page. You will have to register for an account (free). The account is used to access Adobe forums and downloads.
4. After you login, you will be presented with a form page that shows all of your registration information (they are getting you to double check it, as the registration information is submitted for this specific download. Scroll down the form page and you notice questions specific to the download).
5. Go ahead and download the file. Then I suppose just wait a while, do something outside the browser for a bit?
6. Reboot the system or crash firefox... you want the Session Restore feature to kick in next time you run Firefox.
7. Run Firefox and allow the Adobe page to be restored... at this point, you should see other user information (not generic)... data which is sent from Adobe for another user perhaps using the same session id as you were shortly before.
Actual Results:  
Different user personal info displayed on a secure form.

Expected Results:  
A clear form without any form data after a session restore.
Version: unspecified → 2.0 Branch
If it works the way you say then it's not a Firefox bug, but a problem that only Adobe can fix. Sites using session cookies as poorly as this are a dime a dozen, and there's nothing Firefox can do about it.
Component: General → Session Restore
QA Contact: general → session.restore
(In reply to comment #0)
> Actual Results:  
> Different user personal info displayed on a secure form.

Besides this looking like Adobe's bug, we don't restore secure forms, cookies, etc. at all per default to start with. Still, if you can reproduce the above behavior, you might want to tell Adobe...
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.