Open Bug 879496 Opened 6 years ago Updated 4 months ago

session cookies must be discarded on user initiated browser exit

Categories

(Firefox :: Session Restore, defect)

defect
Not set

Tracking

()

People

(Reporter: mchyzer, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36

Steps to reproduce:

I logged into a website with a session cookie.
I closed my browser.
I opened my browser.
I clicked on history -> restore previous session


Actual results:

I am logged in with the session cookie from the previous session


Expected results:

I should have been prompted for login since the session cookie must be deleted.
Note: I know there are multiple bugs out there about this, e.g. 

https://bugzilla.mozilla.org/show_bug.cgi?id=530594

However, Jesse Ruderman asked me to open another bug on this serious security issue.  I was asked in this discussion:

https://bugzilla.mozilla.org/show_bug.cgi?id=443354

Here is a quote from the cookie spec, which Firefox is not implementing correctly and opens a huge security hole:

"3.3.1 The user agent applies these defaults for optional attributes that are missing:

   Discard The default behavior is dictated by the presence or absence
           of a Max-Age attribute.
   Max-Age The default behavior is to discard the cookie when the user
           agent exits."

Here are Jesse's thoughts from the previous thread:

> And you are saying that opening up a HUGE security hole is worth it why?  
> So that a user can click "History -> Restore Previous Session"?

I agree with you for the specific case of a clean, user-initiated shutdown when the user has not selected "When Firefox starts: Show my tabs and windows and tabs from last time".  Please file a bug if Firefox isn't getting it right in that case.

The other cases are:

* Restarts to install updates or extensions (where it's much more important to make security updates smooth than to maintain the illusion that process lifetime has anything to do with what users consider a "session")

* Crashes

* Pre-planned tab restoration (still controversial, with lots of room for clever heuristics; see bug 529899 and bug 530594).
Component: Untriaged → Session Restore
OS: Windows 8 → All
Hardware: x86_64 → All
Version: 21 Branch → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.