Closed Bug 752104 Opened 13 years ago Closed 12 years ago

Firefox retaining password even though not in saved

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
12 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 345345

People

(Reporter: lapis28, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_8) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 Safari/535.19

Steps to reproduce:

Since I updated to FF12, now my google and facebook passwords are retained by FF, even though they are not listed in the saved password list. I do not want to make the sites exceptions because then the sites would be listed in that list. I want to say "not now" like I always had been able to and just not have any info retained. 

In 3.6.28, if I was logged in, chose "not now" to not remember the password, and then closed the browser, I would have to log in again when I opened the browser. Now with 12, if I close the browser, I am automatically logged back in (and I do not have "remember me" checked either). I DO NOT want FF remember this password. How do I make it stop?

I have only had this issue on XP since my Macs are home computers and are set to save my info. 


Actual results:

The sites I was logged in to prior to closing the browser logged me back in automatically after I closed and reopened the browser, even when I chose "not now" so the password would not be retained. The password is not on the list, so the password is not being saved there or in the cache (clearing the cache also did nothing). 


Expected results:

I should be able to close the browser and be automatically logged out so that I have to log in again once I reopen the browser, like with 3.6.28. This is a security issue.
How do you know that the password is retained? Sounds more like you have saved cookies.
Looks like it is restored via the session cookies not being released. I received this answer via mozillazine: 

"In that case the sessionstore.js file stores the cookies from the sites in the open tabs and that causes you to stay logged in.

Set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS, default in Firefox 3 versions) on the about:config page to disable saving cookies via session restore.
You can change the browser.sessionstore.privacy_level_deferred pref that is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time"."

I will try this tomorrow on the PC since I do used restore session. 

This is a rather significant change  to me - to alter the default for retaining privacy data via a session. If something this significant is being changed, I think it should be announced at the time of update or it should continue to set the way it was in previous versions as default. 

I will close this post once I confirm that this fix works for me.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.