Closed Bug 430761 Opened 16 years ago Closed 16 years ago

Two separate firefox windows sharing same session/cookie

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 117222

People

(Reporter: prabha_v2, Unassigned)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

I have a problem of having two firefox windows sharing same session/cookie for sending requests.

I am accessing my application using firefox. for this i have opened two firefox windows and launched the same site .. first window used user A to login and second window used user B to login ... but when i logged in as user B, i am able to see user As details. When verified with tamper data, found that second window sending the request having the request header with cookie content used by firefox window 1. 
If the child window or tab window having the same cookie is sounds correct.  But the new window should be considered as separate session and not expected to share the cookie.  Is this a bug in firefox? or my understanding is wrong with respect to firefox.

Reproducible: Always

Steps to Reproduce:
1. Launch firefox window1. Launch www.yahoomail.com and login in the first window
2.Launch firefox window2. capture the url from first window (after login) and use it in the address bar and 'go'
3.You can see the second window will not take you to login page, instead will take you directly to logged in yahoo page. 
This yahoo site is a sample, but this is happening across other sites as well.
Actual Results:  
Actual result is, the second window is going to yahoo inbox page 

Expected Results:  
Should take me to yahoo login page

I am using windows xp and also have verified this in IE6 where i don't have this problem. In IE i can see both the separate ie windows not sharing the same cookies.

Our application is used by most of the australian internet users and firefox is their favourite. For them it is considered as big security issue.
The cookies are only sent to the same exact domain that they were written by.
They are (most probably) session cookies and are therefore discarded when the session is over, i.e. when the browser(firefox) is closed (all instances).

IE in fact displays peculiar behavior in this regard in that if a new tab is opened the same 'cookie-stealing' is accomplished, but if a new window is opened the cookies are reset, this seems to me contradictory. In any event this behavior is, apparently, expected.
I think you have not understand correctly.  I have opened two separate firefox windows and in window1 logged into my application with user A.  I have not closed or i have not logged out yet.  In this scenario, when i open the second firefox window (not a child window or not a tab) and launched the same site (obviously the same domain) i am not asked for login credentials and i am already recognized as logged-in user showing user A's details.

The scenario will be no issues if any one doing at his PC for testing.  But in in the internet cafe, if any user unknowingly kept his browser open after navigating our site and not logged out, and if any new user comes and launch a new firefox window and launch same site, browser will take them to the page that shows user As details.

The reason i have mentioned about IE is not for comparison, for the information that launching two separate windows, there is no sharing of cookies .. both IE windows uses its own cookie/privacy data. 

Hope this will help you to understand more.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.