All users were logged out of Bugzilla on October 13th, 2018
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0 Build ID: 20111104165243 Steps to reproduce: 1. Create an app tab which uses session restore for any site 1 that requires login 2. Open a new tab which does not use session restore and log in to some other site 2 3. Exit Firefox using the close button in the upper right corner 4. Start Firefox 5. Open site 2 in a new tab Actual results: 1. App tab restores 2. Site 2 restores session (security issue) Expected results: 1. App tab restores 2. Site 2 requires login
This is essentially a special case of bug 530594, except that the user does not get the benefit of session restore and --still-- has immortal session cookies. Expanding on the steps to reproduce 1. Make sure about:home is your homepage and you have no app tabs (that is, you're not already in some session-restoring state) 2. "control" or expected behavior: 2a. log into some site that uses SESSION cookies for auth. example: mail.yahoo.com Do NOT check any "keep me logged in" or "remember me" boxes 2b. Quit Firefox 2c. Restart Firefox -- you should get the about:home screen 2d. Go to site from 2a and you should no longer be logged in. IF YOU ARE logged in start over, and either choose a different site or fix whatever is remembering sessions. 3. Log back into the site from 2a, again using session cookies and not any "remember me" setting. 4. Go to another site, say news.google.com, and make it an app tab 5. Quit 6. Restart. You should have a) news.google.com app tab b) about:home screen with a big "Restore Session" button 7. do NOT press the restore session button, instead manually navigate to the site in 2a/3 Expected: You must log in. Clearly if you didn't press the "Restore Session" button you are in a fresh unrestored state, right? Actual: You are still logged in. Leaving aside that I'm already unhappy with bug 530594, you can argue in that case we're doing what the user said to do (even if they didn't realize that's what they were telling us). This case is clearly misleading to the user. Remembering app tabs should be separate from sessions, and if the apps require permanent log-in the user can either take advantage of the site's settings (e.g. Google or Yahoo's "remember me" permanent cookie options) or can turn on session-remembering in Firefox options. Or we could hook up a parallel session-restore for app-tabs cookies.
Status: UNCONFIRMED → NEW
Component: General → Session Restore
Depends on: 530594
Ever confirmed: true
QA Contact: general → session.restore
Even app tabs should not remember session. Maybe *esp.* so. I think most people would be upset to see their gmail being wide open. If anything, it should be an opt-in setting. Whoever coded this should get a set of hot ears both for inventing this, and for the implementation affecting other sides.
Your advocacy isn't relevant to this bug. Take it elsewhere, please.
This is: > Even app tabs should not remember session.
(In reply to Ben Bucksch (:BenB) from comment #2) > Whoever coded this should get a set of hot ears both for inventing this, and > for the implementation affecting other sides. Excellent, I have a birthday coming up. Thanks for thinking of me. So in a brand new profile following STR in comment #1, this is WFM. I was pretty careful about this, see https://bugzilla.mozilla.org/show_bug.cgi?id=588482#c34 (though the default pref values changed since then).
WFM per comment 6.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.