Closed
Bug 704779
Opened 13 years ago
Closed 12 years ago
App tabs causes Firefox to remember _all_ previous sessions after restart
Categories
(Firefox :: Session Restore, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mattias.forss, Unassigned)
References
Details
(Keywords: privacy, sec-low, Whiteboard: [sg:low])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243
Steps to reproduce:
1. Create an app tab which uses session restore for any site 1 that requires login
2. Open a new tab which does not use session restore and log in to some other site 2
3. Exit Firefox using the close button in the upper right corner
4. Start Firefox
5. Open site 2 in a new tab
Actual results:
1. App tab restores
2. Site 2 restores session (security issue)
Expected results:
1. App tab restores
2. Site 2 requires login
Comment 1•13 years ago
|
||
This is essentially a special case of bug 530594, except that the user does not get the benefit of session restore and --still-- has immortal session cookies.
Expanding on the steps to reproduce
1. Make sure about:home is your homepage and you have no app tabs
(that is, you're not already in some session-restoring state)
2. "control" or expected behavior:
2a. log into some site that uses SESSION cookies for auth.
example: mail.yahoo.com
Do NOT check any "keep me logged in" or "remember me" boxes
2b. Quit Firefox
2c. Restart Firefox -- you should get the about:home screen
2d. Go to site from 2a and you should no longer be logged in.
IF YOU ARE logged in start over, and either choose a different
site or fix whatever is remembering sessions.
3. Log back into the site from 2a, again using session cookies
and not any "remember me" setting.
4. Go to another site, say news.google.com, and make it an app tab
5. Quit
6. Restart. You should have
a) news.google.com app tab
b) about:home screen with a big "Restore Session" button
7. do NOT press the restore session button, instead manually
navigate to the site in 2a/3
Expected:
You must log in. Clearly if you didn't press the "Restore Session"
button you are in a fresh unrestored state, right?
Actual:
You are still logged in.
Leaving aside that I'm already unhappy with bug 530594, you can argue in that case we're doing what the user said to do (even if they didn't realize that's what they were telling us). This case is clearly misleading to the user.
Remembering app tabs should be separate from sessions, and if the apps require permanent log-in the user can either take advantage of the site's settings (e.g. Google or Yahoo's "remember me" permanent cookie options) or can turn on session-remembering in Firefox options. Or we could hook up a parallel session-restore for app-tabs cookies.
Status: UNCONFIRMED → NEW
Component: General → Session Restore
Depends on: eternalsession
Ever confirmed: true
QA Contact: general → session.restore
Whiteboard: [sg:low]
Comment 2•13 years ago
|
||
Even app tabs should not remember session. Maybe *esp.* so. I think most people would be upset to see their gmail being wide open. If anything, it should be an opt-in setting.
Whoever coded this should get a set of hot ears both for inventing this, and for the implementation affecting other sides.
Comment 3•13 years ago
|
||
s/sides/sites/
Comment 4•13 years ago
|
||
Your advocacy isn't relevant to this bug. Take it elsewhere, please.
Comment 5•13 years ago
|
||
This is:
> Even app tabs should not remember session.
Updated•13 years ago
|
Group: core-security
Comment 6•13 years ago
|
||
(In reply to Ben Bucksch (:BenB) from comment #2)
> Whoever coded this should get a set of hot ears both for inventing this, and
> for the implementation affecting other sides.
Excellent, I have a birthday coming up. Thanks for thinking of me.
So in a brand new profile following STR in comment #1, this is WFM. I was pretty careful about this, see https://bugzilla.mozilla.org/show_bug.cgi?id=588482#c34 (though the default pref values changed since then).
Comment 7•12 years ago
|
||
WFM per comment 6.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•