655178 - SECURITY:FormsAuthenticationCookie is not being cleaned up for pinned tabs upon closing browser.

Status: RESOLVED WORKSFORME

(Firefox :: Session Restore, defect, P5)

Description

[ChandraGottumukkala]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: FireFox4.0.1

The firefox 4.0.1's UI setting "Options > Options > Privacy > Keep until > I close Firefox" is not cleaning up forms authentication cookies for app tabs.

I have an HTTPS website that get forms authenticatio cookie once I logged into a website. I create app tab hook to one of the secured webpages in the website.
When I close the browser, I expected that forms authentication cookie to be cleaned up since I made the above mentioned setting.

When I reopened the browser, it still successfully goes to the AppTab's shortcut page without taking me to login page. This is happening because the FireFox4.0.1 has Browser.SessionStore.Privacy_Level as 0.



Reproducible: Always

Steps to Reproduce:
1.Open a FF4.0.1 browsers and go to any secured financial website that generates ASP.NET forms authentication ticket in the form of a cookie.
2.Login into the website.
3.Create AppTab shortcut to any secured page in the website.
4.Make setting, Options > Options > Privacy > Keep until > I close Firefox
5. Close the browser
6.Reopen browser.

Actual Results:  
It takes user to the secured webpage without taking him/her to a login page. This happens because the forms cookie is not cleaned up upon closing the browser.



Expected Results:  
To avoid, security issues, the default setting for FF4.0.1 should be 2 for browser.sessionstore.privacy_level 

If that is not acceptable, then please provide an UI setting that cleansup extra session data such as FormsAuthentication cookies upon closing browser.Currently, it is not working app tabs.

To avoid, security issues, the default setting for FF4.0.1 should be 2 for browser.sessionstore.privacy_level 

If that is not acceptable, then please provide an UI setting that cleansup extra session data such as FormsAuthentication cookies upon closing browser.

Comment 1

[ChandraGottumukkala]

Is anyone working on this? It is high priority issue for our business.  If FF team does not care about this, we would like to caution our users not to use FF4.0.1.

Comment 2

[ChandraGottumukkala]

Changed the bucket by hoping that it will get somebody's attention.

Comment 3

[Daniel Veditz [:dveditz]]

Unhiding bug (clearing the "security bug" flag) because this was a conscious product decision that App Tabs are special, and are taken to indicate a desire on the part of the user to keep working. Addressing that kind of thing through a "bug" report when some of the participants do not believe it to be a "bug" is generally not productive. This is better suited to a debate in our developer newsgroups/mailing lists, I suggest mozilla.dev.apps.firefox or mozilla.dev.platform

I am sympathetic to your concern as I, too, set my cookies to expire when I close the browser and am frustrated when they don't get cleared. For people who respond "just use the clear history on shutdown feature" note that ChandraGottumukkala is less concerned about when users choose that setting and more concerned that his --site-- has chosen to use "session" cookies and the browser has redefined the concept of "session" on them.

Debating either side in this bug will be counter productive.

Comment 4

[Sylvestre Ledru [:Sylvestre]]

Decreasing the priority as no update for the last 2 years on this bug.
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage 
about the priority meaning.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:dao, could you have a look please?

For more information, please visit BugBot documentation.

Comment 7

[Dão Gottwald [:dao]]

(In reply to Daniel Veditz [:dveditz] from comment #3)

Unhiding bug (clearing the "security bug" flag) because this was a conscious
product decision that App Tabs are special, and are taken to indicate a
desire on the part of the user to keep working. Addressing that kind of
thing through a "bug" report when some of the participants do not believe it
to be a "bug" is generally not productive. This is better suited to a debate
in our developer newsgroups/mailing lists, I suggest
mozilla.dev.apps.firefox or mozilla.dev.platform

I am sympathetic to your concern as I, too, set my cookies to expire when I
close the browser and am frustrated when they don't get cleared. For people
who respond "just use the clear history on shutdown feature" note that
ChandraGottumukkala is less concerned about when users choose that setting
and more concerned that his --site-- has chosen to use "session" cookies and
the browser has redefined the concept of "session" on them.

Debating either side in this bug will be counter productive.

Hey Daniel, sorry to reopen a 13 year old discussion, but do you have any further thoughts on this? Do you think this is still a valid bug and worth keeping open?

Comment 8

[Daniel Veditz [:dveditz]]

The options have changed around a bit, and the behavior also. The equivalent setting today is "Delete cookies and site data when Nightly is closed", and that option does appear to delete cookies from sessionrestore (on a clean shutdown), and therefore from pinned tabs.