417711 - after a crash, "Restore session" allows continued access to password protected web pages opened during crashed session

Status: RESOLVED DUPLICATE of bug 345345

(Toolkit :: Password Manager, defect)

Description

[Genuine Jones]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

After power off or reset type crash during which Firefox is open and logged on to password protected sites (email accounts), restarting the computer and then Firefox brings up a dialog "restore session or start new session". If you "restore session" you are reconnected to the password protected sites and CAN REFRESH them (i.e. get new mail if any) without the master password request popping up or having to re-login. Accessing a password protected site that was not already displayed in the crashed Firefox session causes the master password popup to display and requires a login, but not sites that were being accessed in the crashed session. I expect this is something to do with cookies, and may expire at the remote site end in the normal session expiry time, but it seems insecure. Or convenient, which is often the same thing.

Reproducible: Always

Steps to Reproduce:
1.run Firefox 2.0.0.12, log in to web mail site
2.power off computer or press reset button
3.restart computer, run Firefox, select "restore session", refresh mail ("Check Mail" at mail.com, "get mail" at tesco.net)
Actual Results:  
new mail is displayed, if any or "no new mail"

Expected Results:  
Might be better if one was required to log in again.

Comment 1

[Sebastian Redl]

Dupe of #345345