Closed Bug 542688 Opened 10 years ago Closed 10 years ago

Sessions Resume After Browser is Closed and Reopened.


(Firefox :: Session Restore, defect, major)

Windows XP
Not set



Firefox 3.7a1


(Reporter: webpat52, Unassigned)


User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

Problem: Open Firefox and user is already logged in from previous session.
Cause: Firefox is configured to "Show my windows from last time". I just learned this is known as "Session Restore", although it is not called that on the Firefox Options page. Also learned that "Session Restore crash recovery feature which is enabled by default" exists behind the scenes in the configuration. Normal closing of Firefox with an active session in one window will hold that session open. If firefox is restarted the user continues as logged in, even though he closed the browser. I believe this also occurs if the user navigates away from the application page to, for example, the google search page, prior to closing Firefox.
This was observed in a local development environment on a single PC using PHP. Same tests performed on IE8 create the expected results of ending a session when the browser is closed.

Reproducible: Always

Steps to Reproduce:
1.Set FF to open with previous windows. (Only a single window (Tab) is necessary.)
2.Execute a page which stores a user in a session, similar to a typical login form.
3.Close FF.
4.Open FF and check if the user is still assigned to the session. Should not be, but will be.
Actual Results:  
Session is not ended by closing FF. Opening FF resumes the same session.

Expected Results:  
Session should be ended when FF is closed. New session would be initialized on reopen, using normal session creation.

You can also view the session file being modified where the session files are kept.
This keeps users logged into a session when they expect that it has been ended. This leaves the session available to unintended users.
So to be clear... You want Firefox to restore you windows and tabs, but not your cookies (which is how websites control sessions)?
That is correct. I've been using the restore windows and tabs for a while and have found them quite useful. Only recently did I notice it was affecting sessions. I don't think the application refers to session restore anywhere - I'd never heard of it. I only found it in the documentation yesterday.

I think the public specs for Sessions are pretty clear, that a session should end with the browser. I think these are "session cookies" that are being held. I think they are supposed to be gone with the browser closing. There may be different cookies that can be held for a fixed period.

I'm no guru on this topic, but that's my best understanding. I think now it's not working like most people would expect, including developers and website owners, maybe including sites that have been around for quite a while.
You are not the first to say so. This is a dupe of bug 443354 but also take a look at bug 529899. I think there's also a bug about making it clearer that we're essentially resuming your browser session as best as possible (the language around "session" gets a bit confusing)
Closed: 10 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → Firefox 3.7a1
Duplicate of bug: 443354
You need to log in before you can comment on or make changes to this bug.