Closed Bug 650298 Opened 11 years ago Closed 11 years ago

Restore Previous Session returns to secured page without logging in

Categories

(Firefox :: Security, defect)

x86
macOS
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 530594

People

(Reporter: rvjanc, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0) Gecko/20100101 Firefox/4.0

If I go to some secure (https) site where I need to log in, then quit FF without logging out, then restart FF and then go to Restore Previous Session I end up at the last secure page I was viewing when I quit FF.

Reproducible: Always

Steps to Reproduce:
1. Go to a site like https://www.att.com/olam/dashboardAction.olamexecute
2. Log in
3. Click to some place on the site
4. Quit FF WITHOUT logging out
5. Launch FF and Restore Previous Session
6. You are still logged in and on the last page before you quit.

NOTE: This does not happen on all secure sites but on those it happens it is repeatable.


Expected Results:  
Expected to not be logged in after Restore Previous Session involving a secure site like AT&T accounts.

This happens at these I have tried

https://www.wireless.att.com/olam/dashboardAction.olamexecute
http://www.we-energies.com/ (log-in is secure)
https://www.centurylink.com/Pages/Identification/maIdentification.jsp

It DOES NOT HAPPEN at my bank or Gmail.
I tried this on the AT&T site using Safari and when I clicked on "Reopen all windows from last session" I ended up at the log-in page, NOT IN THE ACCOUNT.

I couldn't try this with chrome since it doesn't appear to have a session restore capability from what I see.
This behavior has also been reported for Ebay, PayPal and BOA

http://forums.mozillazine.org/viewtopic.php?f=38&t=2167727&p=10693805#p10693805

.
This was a conscious design decision so no need to keep the bug hidden (it was considered a win for "user convenience").

See bug 443354, bug 529899, and bug 530594
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: eternalsession
You need to log in before you can comment on or make changes to this bug.