Closed Bug 588089 Opened 14 years ago Closed 8 years ago

Session cookies should clear-on-free

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: johnath, Unassigned)

Details

(Awfully similar to bug 588087)

I got a question from IronKey today about whether it would be possible for
memory containing session cookies to be cleared when freed. Initially, I
resisted, figuring that anyone who can read arbitrary memory can already be
pretty nefarious. Still, I think there's some logic to the argument that it
would be nice if stealing sessions from an executing firefox instance required
more than just feeding a core dump through "strings".

I could be wrong, though! dwitte, what think you?
Huh. It wouldn't take much to do so. (One line of code.)

However, I don't think there's much precedent for this kind of thing. What about passwords? Those are kept in memory as plaintext, I think; even if you have a master password, once you enter that they're decrypted in memory. CC'ing dolske to confirm.

I'm not really against it, just concerned that this is not the right fish to fry, if we're frying fish. :)
Oh, and there we go, you already filed a bug on passwords. Way ahead of me!
That being said, then, still worth adding the line of code for this one?
I thought that a session cookie was only freed when the browser is closed (which is unfortunate I think, but a session cookie doesn't have an expiration time). So, unless you clear the cookies manually, does it really matter ?

Clearing memory when a cookie is freed (session cookie or not) is a different matter.
So, I'm still curious what IronKey expects to gain from this. Say you have session cookies alive in the browser. They're going to stick around until 1) the site deletes them, 2) you close the browser, or 3) you clear cookies.

1) doesn't really matter, since if the site deleted them then it's thrown away your state serverside, so the cookie data becomes useless.

2) doesn't matter by definition.

3) is the only case that really matters. How frequently is a user going to clear cookies to log out? I assert that's very infrequent.

Is he on the same page?
Well now that's a fine question, Dan. The guys from IronKey have these bug links, hopefully one of them can chime in here on the scnearios you describe.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.