All users were logged out of Bugzilla on October 13th, 2018

App tabs causes Firefox to remember _all_ previous sessions after restart

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
7 years ago
6 years ago

People

(Reporter: mattias.forss, Unassigned)

Tracking

(Depends on: 1 bug, {privacy, sec-low})

8 Branch
x86_64
Windows 7
privacy, sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243

Steps to reproduce:

1. Create an app tab which uses session restore for any site 1 that requires login
2. Open a new tab which does not use session restore and log in to some other site 2
3. Exit Firefox using the close button in the upper right corner
4. Start Firefox
5. Open site 2 in a new tab



Actual results:

1. App tab restores
2. Site 2 restores session (security issue)


Expected results:

1. App tab restores
2. Site 2 requires login
This is essentially a special case of bug 530594, except that the user does not get the benefit of session restore and --still-- has immortal session cookies.

Expanding on the steps to reproduce
1. Make sure about:home is your homepage and you have no app tabs
   (that is, you're not already in some session-restoring state)

2. "control" or expected behavior:
 2a. log into some site that uses SESSION cookies for auth.
     example: mail.yahoo.com
     Do NOT check any "keep me logged in" or "remember me" boxes
 2b. Quit Firefox
 2c. Restart Firefox -- you should get the about:home screen
 2d. Go to site from 2a and you should no longer be logged in.
     IF YOU ARE logged in start over, and either choose a different
     site or fix whatever is remembering sessions.

3. Log back into the site from 2a, again using session cookies
   and not any "remember me" setting.
4. Go to another site, say news.google.com, and make it an app tab
5. Quit
6. Restart. You should have
   a) news.google.com app tab
   b) about:home screen with a big "Restore Session" button

7. do NOT press the restore session button, instead manually
   navigate to the site in 2a/3

Expected:
   You must log in. Clearly if you didn't press the "Restore Session"
   button you are in a fresh unrestored state, right?

Actual:
  You are still logged in.

Leaving aside that I'm already unhappy with bug 530594, you can argue in that case we're doing what the user said to do (even if they didn't realize that's what they were telling us). This case is clearly misleading to the user.

Remembering app tabs should be separate from sessions, and if the apps require permanent log-in the user can either take advantage of the site's settings (e.g. Google or Yahoo's "remember me" permanent cookie options) or can turn on session-remembering in Firefox options. Or we could hook up a parallel session-restore for app-tabs cookies.
Status: UNCONFIRMED → NEW
Component: General → Session Restore
Depends on: 530594
Ever confirmed: true
QA Contact: general → session.restore
Whiteboard: [sg:low]

Comment 2

7 years ago
Even app tabs should not remember session. Maybe *esp.* so. I think most people would be upset to see their gmail being wide open. If anything, it should be an opt-in setting.

Whoever coded this should get a set of hot ears both for inventing this, and for the implementation affecting other sides.

Comment 3

7 years ago
s/sides/sites/
Your advocacy isn't relevant to this bug. Take it elsewhere, please.

Comment 5

7 years ago
This is:
> Even app tabs should not remember session.

Updated

7 years ago
Group: core-security
(In reply to Ben Bucksch (:BenB) from comment #2)
> Whoever coded this should get a set of hot ears both for inventing this, and
> for the implementation affecting other sides.

Excellent, I have a birthday coming up. Thanks for thinking of me.

So in a brand new profile following STR in comment #1, this is WFM. I was pretty careful about this, see https://bugzilla.mozilla.org/show_bug.cgi?id=588482#c34 (though the default pref values changed since then).

Updated

6 years ago
Keywords: privacy
WFM per comment 6.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.