Closed Bug 719705 Opened 13 years ago Closed 13 years ago

security.ask_for_password = 2 not being honored

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
9 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mm38691765, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Build ID: 20111220165912 Steps to reproduce: In the UI options I have both "Remember passwords for sites" and "Use a master password" boxes checked, and I have some passwords saved. Now in about:config I've set security.ask_for_password = 2 security.password_lifetime = 3 and restarted FF. Now I visited a website that asks for one of my saved passwords. On request, I entered the Master Password, got my saved password filled into the website field and used them to logon to the website. Then I logged off the website (and now only have one tab open in FF which doesn't ask for any password.) Then i did 4 minutes absolutely nothing on my computer: no keystroke, no mouse movement, nothing. Note: I also tried the same with all plugins and extensions disabled (and FF restarted), same result. Actual results: Then I went again to a password asking website, and my saved password was inserted by FF right away. Expected results: FF should have asked me for my master password again before a inserting saved password, as the 3 minute timeout had clearly expired.
Depends on how precise the expiration is. Maybe it +- several minutes. Can you try waiting longer, like 10 minutes? At least to see if it eventually kicks in, if not at the right time.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
QA Contact: untriaged → password.manager
(In reply to :aceman from comment #1) I waited for 35 minutes (screensaver kicked in for 15 minutes), still could retrieve a password without being asked for the master password again.
Firefox doesn't expire your MP in a session (unless you do it manually by going to prefs > saved passwords > show). I think Seamonkey has a timeout, but Firefox does not.
There is an extension that provides a master password timeout: https://addons.mozilla.org/en-US/firefox/addon/master-password-timeout/
Michael, thanks for reporting and following up. As it stands, this isn't a bug and there's an extension available to help your case, so I'm going to make this bug invalid. Thanks again and keep reporting issues!
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Paul, I'm confused - so you're saying looking at http://kb.mozillazine.org/About:config_entries#Security. the entry for security.ask_for_password is wrong and FF doesn't support setting 2: Every n minutes, where n is the value in security.password_lifetime. at all?? Also please note that extension https://addons.mozilla.org/en-US/firefox/addon/master-password-timeout/ has been discontinued and does *NOT* support FF 9 Branch.
(In reply to Michael from comment #6) > Paul, I'm confused - so you're saying looking at > http://kb.mozillazine.org/About:config_entries#Security. > the entry for > security.ask_for_password > is wrong and FF doesn't support setting > 2: Every n minutes, where n is the value in security.password_lifetime. > at all?? The page isn't exactly wrong since it's not a Firefox-specific page: "In most cases the list below doesn't state whether a given preference applies to all, or only some (and which), of Firefox, Thunderbird, Mozilla Suite, SeaMonkey, or even the now discontinued Sunbird: trial and error is often the only way to tell if some particular preference applies to your version of your application." The description of the relevant prefs mention "Mozilla mail" so I doesn't claim to work in Firefox and I don't find code that checks those preferences. > Also please note that extension > https://addons.mozilla.org/en-US/firefox/addon/master-password-timeout/ > has been discontinued and does *NOT* support FF 9 Branch. While it isn't marked as compatible by the author, it does work for me by overriding compatibility. You can do this by installing the add-on compatibility reporter extension[1] or by running Firefox Beta[2] (version 10) or newer where add-ons are compatible by default. [1] https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/ [2] https://www.mozilla.org/en-US/firefox/channel/
You need to log in before you can comment on or make changes to this bug.