785752 - session remains open on gmail when restoring tabs

Status: RESOLVED DUPLICATE of bug 443354

(Firefox :: Session Restore, defect)

Description

[philippe]

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

My firefox is set to never save GMAIL passwords. It should be impossible to just open the GAMIL app and get connected.
I use to open a specific web page when opening firefox but for some reasons changed to reopen the last tabs. Inside the last tabs was an opened GMAIL session.


Actual results:

When restarting firefox it restored the GMAIL session. That means the password was kept and restored even though the security settings should prevent that.


Expected results:

Though it is understandable that wanting to restore the last tabs should bring up all existing alive sessions, it is a breach when firefow should never store any password. That means it keeps cookies despite the fact it shouldn't.
What is more bothering is the fact that if the user keeps opening the same web page it doesn't happen but changing to reopen the last tabs keeps the session alive. Somebody could then simply chnage the settings and let somebody close its firefox application, restarting it might bring up existing alive sessions giving unauthorised access (at least not as expected by the prime user).
The way firefox restarts (keeping or not the tabs) has then an impact on how security settings are enforced, something which could be maliciously used to gain access to a password protected account.

Comment 1

[Matthias Versen [:Matti]]

The password isn't kept but instead the session cookie