Closed Bug 685483 Opened 13 years ago Closed 13 years ago

PHP sessions remembered across restarts

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
6 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: maximodo, Assigned: zpao)

Details

(Whiteboard: [sg:needinfo]) 

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Build ID: 20110902133214

Steps to reproduce:

I have created a website with a php login script:
<?php
session_start();
...
$_SESSION['sess_id'] = mysql_result($result, 0, 'id');
$_SESSION['sess_user'] = $_POST['user'];
...
?>
This session is later verified by the sub-pages by
<?php
session_start(); 
if (!isset($_SESSION['sess_user'])){
  header("Location: login.php");
  exit;
...
?>


Actual results:

After restarting the browser the session didn't start anew, but was "remembered". 


Expected results:

The session should have been forgotten and started anew. 
This never happened before firefox 6.0.2 and it will be a security issue for many webpages, unless a php script specifically uses variables inside the session to verify user's permissions.
All other browsers always forget sessions on restart unless they're open in a tab on browser startup. I closed all tabs, created a new one, went on google.com, pressed shift+ctrl+r, restarted the browser and the session was still remembered
Paul: could you investigate this. The eternal-session issue is a known problem when people preserve their tabs, but in this case it is claimed that session cookies are being saved even for sites that are not in any open tab.

Jack (reporter): do you have the php test site open in a tab in Panorama? If so that might keep the cookies alive.
Assignee: nobody → paul
Component: General → Session Restore
QA Contact: general → session.restore
Whiteboard: [sg:needinfo]
Jack, can you host this test page somewhere so we can test?
Summary: New firefox 6.0.2 remembers php sessions on restart. Security Issue! → PHP sessions remembered across restarts
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #2)
> Jack, can you host this test page somewhere so we can test?

Hello. Sorry for taking such a long time to respond. I couldn't give you access to any login on my websites and didn't want to post the code because you would have a hard time simulating it with all its components. I wanted to create a new login just for you but then the firefox 7.0.1 came out and there's no problem anymore. The new fox doesn't remember the sessions :-) Thanks for your attention. Jack
Marking WORKSFORME given comment 3 -- please reopen if you think that is in error.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Group: core-security
You need to log in before you can comment on or make changes to this bug.