679921 - sessionstore.json sessionstore.bak not encrypted (SeaMonkey and Firefox)

Status: UNCONFIRMED

(SeaMonkey :: Session Restore, enhancement)

Description

[mtrusfus]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110813 Firefox/6.0 SeaMonkey/2.3
Build ID: 20110813174900

Steps to reproduce:

List contents of profile directory and found files "sessionstore.bak" and "sessionstore.json"


Actual results:

Content of files "sessionstore.bak" and "sessionstore.json" is not encrypted by Master Password. Files "sessionstore.bak" and "sessionstore.json" keep on disk after programm terminates. Anyone can steal personal data (cookies) from "sessionstore.bak" and "sessionstore.json" files.


Expected results:

Content of files "sessionstore.bak" and "sessionstore.json" MUST BE encrypted by Master Password. Files "sessionstore.bak" and "sessionstore.json" MUST BE deleted when programm terminates.

Comment 1

[Daniel Veditz [:dveditz]]

Passwords are not stored in sessionstore.json so the Master Password doesn't come into play. Even if sessionstore were deleted your permanent cookies are stored unencrypted in the cookie database. Storing "session" cookies in the sessionretore file is sort of the point of the feature, but there are current arguments (and bugs filed) about what should happen in a non-crash situation.

Although filed against SeaMonkey it probably shares the Firefox implementation, but I couldn't find an appropriate bug Component in Toolkit.

Comment 2

[Paul O'Shannessy [:zpao] (not bugmail, email directly)]

(In reply to Daniel Veditz from comment #1)
> Although filed against SeaMonkey it probably shares the Firefox
> implementation, but I couldn't find an appropriate bug Component in Toolkit.

SeaMonkey has it's own session restore that is mostly identical but not always to Firefox's.