Closed Bug 389291 Opened 18 years ago Closed 18 years ago

Secure site login remains open across windows until Firefox totally closed.

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 117222

People

(Reporter: Robbyseven, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 When multiple windows are open, if one is used to open the secure site in the URL (Charles Schwab) and log into it (entering ID and password), and if that window is closed with corner "X", if you then open the same URL in a new window, the login process is bypassed, and you go directly into the last secure page you were in when the original window was closed. It only logs out when you close Firefox completely (close all windows). Note that this happens when both browser.sessionstore.resume_from_crash and browser.sessionstore.enabled are set to false. ...hope this isn't redundant report, but I did look, and didn't see it listed. Firefox is great, BTW. Reproducible: Always Steps to Reproduce: 1. See details 2. 3. Actual Results: see details I am concerned that this is a critical security bug that could allow other sites opened in other windows to gather data about secure sites previously opened in the same Firefox session. I guess this might have always been a problem even before this but may be more severe with this bug now. Expected Results: It should have forced me to logon again, as Firefox 1.5 did. Other that possibly some itunes software, I have not updated my computer system since going from Firefox 1.5 to 2.0.
This sounds like bug 117222 to me.
Me too!
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
(In reply to comment #0) > It should have forced me to logon again, as Firefox 1.5 did. Firefox 1.5 should behave the same way (sharing cookies across Firefox instances, not windows). Are you sure this behavior was different in 1.5?
I'm 99.9999 percent sure. I often have upwards of 35 Firefox windows up, and often do not boot for days (I have 1 gig of memory). Sometimes these windows have multiple tabs, too (although I don't have multiple tabs up in secure windows... I don't think so anyway, and in any case the current bug doesn't relate to tabs). And actually, I have often chided myself when I have left windows with secure sessions open in a multiple-window Firefox session, and worried (irrationally or not) that, even when the secure window was closed, that other sites might be able to obtain secure data. So, if it was possible before, it would have happened to me, and if it had, I would have noticed. BTW, the bug you cite as me having duplicated is quite an old one. And, aren't the browser.sessionstore.'* options in Firefox that I mentioned designed to prevent this "feature" (bug), if desired? Also, by "instances", do you mean starting and stopping the Firefox application? If so, it seems to me that you would be implying that I would never have to log into a secure site but once, ever... and I know you don't mean that, since I'm sure it would mean leaving a string of secure data open and vulnerable on your system until you boot (right?). I'm not sure you understand the bug I'm trying to report: 1. I start Firefox 2.0.0.5. A window opens with my default homepage, Google. Call this Window 1. 2. I go to the New Window icon, click it, and get a new window. Call this new window, Window 2A. 3. In Window 2A, I use a bookmark to open a secure URL, in which page I log on, with my ID and password, to the Charles Schwab online customer network. I get a screen showing my personal financial data in the network. 4. I close Window 2A with the "x" near the size/minimize icons in the upper right hand corner. There is now only Window 1 open. 5. I then go to the New Window icon and open a new window. Call that Window 2B. 6. In Window 2B, I use the same bookmark as before to open the same secure Charles Schwab URL, but instead of having to log on, I am immediately directed to the same screen, showing my personal, supposedly secure, financial data, that I was in when I closed Window 2A. I can then go on to maneuver within the network/site, as If I had logged on again, even though I haven't, in window 2B. I don't think the data that contains the screen/site info is in the form of cookies, although I am no tech. In any case, as far as I am concerned, Firefox shouldn't be carrying such data across windows, much less "instances", if "instances" means a new start/session of Firefox. Oh... I forgot I did get a new release of NoScript: 1.1.6.02, just before this happened (I think). And I have had no such trouble with other secure financial sites. So maybe this is a combined problem, between 2.0.0.5 and Schwab's site. If I have the ability, I'm going to reopen this due to the possibility of misconceptions... I hope I have made this clearer now... Many thanks, Robert
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Thanks for taking the time to explain in more detail, Robert. The browser.sessionstore.* preferences apply to the "session restore" feature that was introduced in Firefox 2, and that functionality is only invoked after you've quit Firefox completely and then restarted it. Since you're not doing this in the steps you list (there's always a Firefox window open), they're not relevant to this bug. When you run Firefox and open multiple windows, you're still running one "instance" of Firefox (a single Firefox "process"). Firefox stores session cookies per-instance, not per-window (that's bug 117222). What's perplexing to me is how you say that 1.5 didn't have the same behavior. The steps you list should give the same results in both 1.5 and 2.0, because bug 117222 exists in both of those versions of Firefox. Could you try going through the steps in Firefox 1.5?
OK. How do I reload Firefox 1.5 on my system?
OK, Gavin: I did try it with 1.5, and you are correct; the same thing occurs in that release. So I guess I just must have been "lucky", and that the fact that it only occurs with the Schwab site, as opposed to other financial sites I use, mitigated against my noticing it (I am still convinced I would have noted and reported it then, as I have done now with this bug report, had it happened). But I also noticed some subtle changes in the graphics in the Schwab site, perhaps indicating some recent changes in their software. Taken together, these make me think it would be a good idea to report this to Schwab as well. So, as you say, this is in fact a dupe of bug 117222, as far as Firefox is concerned, and I'll mark it as such. The obvious workaround is for me to close Firefox after I have used the Schwab site. I don't know if the security aspect I encountered is part of that bug, and assume that, if it's not, marking it as a dupe will automatically incorporate it somehow. If it isn't automatic, I assume you will do it, reading this. Many thanks, and all the best, Robert
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → DUPLICATE
(In reply to comment #8) > I don't know if the security aspect I encountered is part of that bug, and > assume that, if it's not, marking it as a dupe will automatically incorporate > it somehow. If it isn't automatic, I assume you will do it, reading this. Yes, the security implications of that bug are already known. Thanks again for following up, Robert!
Status: RESOLVED → VERIFIED
(In reply to comment #8) > So, as you say, this is in fact a dupe of bug 117222, as far as Firefox is > concerned, and I'll mark it as such. The obvious workaround is for me to close > Firefox after I have used the Schwab site. Most sites provide an explicit "Sign out" link that will delete their login cookies, logging you out of all windows. If Schwab doesn't there are also a number of "addons" that will allow you to easily delete "session" cookies or even all cookies. You can also do it in a standard Firefox, but using the cookie management screens in the Option dialog isn't very convenient. One addon I use is Web Developer Toolbar which has a "clear session cookies" command, but that addon is way overkill if this is all you need. You could ask around and see if "Remove Cookie(s) for Site" is any good (https://addons.mozilla.org/en-US/firefox/addon/1595) -- I can't vouch for it personally
Actually, using "sign out" had recently occurred to me too, afterwards. Many thanks for the tips, Daniel!
You need to log in before you can comment on or make changes to this bug.