Open Bug 406279 Opened 17 years ago Updated 3 years ago

Changing Master Password Leaves Browser in Logged-In State

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Version:
SeaMonkey 1.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

People

(Reporter: david, Unassigned)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7

If I change my master password, SeaMonkey is placed in a logged-in state.  That means I then do not have to enter the master password to have individual user IDs and passwords supplied to login to secure Web sites.  

There is no warning either on the Master Passwords window or the Change Master Password dialogue that I should logout after changing my master password.  This leaves my browser unsecured.  Better than a warning, the act of changing the master password should not leave the browser in a logged-in state.  

Reproducible: Always

Steps to Reproduce:
1.  Start SeaMonkey.  
2.  On the menu bar, go to [Edit > Preferences > Privacy & Security > Master Passwords].  
3.  On the Master Passwords window, select the Change Password button.  
4.  On the Change Password dialogue, enter your old password and twice enter a new password.  
5.  Select OK buttons to complete the change.  
6.  Go to a Web site with a login for which you have stored ID and password.  

Actual Results:  
The stored ID and password are immediately entered into the login area of the Web page.  

Expected Results:  
You should be asked for the (new) master password before the stored ID and password are entered.
Can you reproduce with SeaMonkey v1.1.9 ?
Can you reproduce with SeaMonkey v2.0a1pre ?
Keywords: privacy
Version: unspecified → SeaMonkey 1.1 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9:  This is still a problem.  

SeaMonkey v2.0a1pre:  With a dial-up connection, I do not usually download nightlies, alphas, or betas.  If you really think a specific, identified modification actually fixed this problem, let me know the version.  I will then consider downloading it for a test.  

Note that, even when I explicitly logout before changing my master password, changing it logs me in.  In the test case I describe, Step 1 (starting SeaMonkey) should leave SeaMonkey logged-out.  However, I can reproduce the problem even if I go to the menu bar and select [Tools > Password Manager > Log Out] just before Step 2.
You need to log in before you can comment on or make changes to this bug.