Session cookies should clear-on-free




9 years ago
3 years ago


(Reporter: johnath, Unassigned)



Firefox Tracking Flags

(Not tracked)


(Awfully similar to bug 588087)

I got a question from IronKey today about whether it would be possible for
memory containing session cookies to be cleared when freed. Initially, I
resisted, figuring that anyone who can read arbitrary memory can already be
pretty nefarious. Still, I think there's some logic to the argument that it
would be nice if stealing sessions from an executing firefox instance required
more than just feeding a core dump through "strings".

I could be wrong, though! dwitte, what think you?

Comment 1

9 years ago
Huh. It wouldn't take much to do so. (One line of code.)

However, I don't think there's much precedent for this kind of thing. What about passwords? Those are kept in memory as plaintext, I think; even if you have a master password, once you enter that they're decrypted in memory. CC'ing dolske to confirm.

I'm not really against it, just concerned that this is not the right fish to fry, if we're frying fish. :)

Comment 2

9 years ago
Oh, and there we go, you already filed a bug on passwords. Way ahead of me!

Comment 3

9 years ago
That being said, then, still worth adding the line of code for this one?

Comment 4

9 years ago
I thought that a session cookie was only freed when the browser is closed (which is unfortunate I think, but a session cookie doesn't have an expiration time). So, unless you clear the cookies manually, does it really matter ?

Clearing memory when a cookie is freed (session cookie or not) is a different matter.

Comment 5

9 years ago
So, I'm still curious what IronKey expects to gain from this. Say you have session cookies alive in the browser. They're going to stick around until 1) the site deletes them, 2) you close the browser, or 3) you clear cookies.

1) doesn't really matter, since if the site deleted them then it's thrown away your state serverside, so the cookie data becomes useless.

2) doesn't matter by definition.

3) is the only case that really matters. How frequently is a user going to clear cookies to log out? I assert that's very infrequent.

Is he on the same page?

Comment 6

9 years ago
Well now that's a fine question, Dan. The guys from IronKey have these bug links, hopefully one of them can chime in here on the scnearios you describe.
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.