Firefox Cookie sharing between Main window and Private window
Hi, In my application for a sensitive flow I have appended a sync token to resolve the CSRF issue. When I test the issue in Firefox I have logged in with User A on main Window and logged in with User B on private window. While testing I found an issue like, sync token is common for both user even though they are different user and logged in different window(main window and Private window). But when I have tried the same thing in Chrome I could not face this problem sync token is different in different window. So is it like session from main window will share the same session to private window?Is it kind of browser specific? Can you please help me to resolve the issue or do I need to modify any settings in browser? Thanks in advance.
All Replies (4)
Cookies definitely should not be shared between the regular session windows and the private session windows; there should be two distinct cookie jars. I'm not aware of any setting that could change it.
Is there a site online that demonstrates the problem (either a live application or a stripped down test case)?
Thanks for your reply :). It is not internet exposed site. I am getting sync token from server and append it in corresponding url as GET request and request is forming properly and flow works perfectly. But when I logged in Main window as User A and in Private Window logged in as User B. When I intercept the request and modify few params(instead of User B values I am providing User A's value) in request. At the time I can see User A and B's Sync token are same. So details are not getting deleted in User B's account(because the corresponding value not available in User B's. it is available in User A's account) instead when I refresh User A's main window message got deleted. it is a kind of CSRF issue to fix this issue I have tried with sync token but in sync token I am getting problem :( . When I have tried the same thing in Chrome browser sync token is different. So is it kind of browser specific? Even though if it is browser specific it should not share the same sync token for different users right? please let me know if need more info
That is strange. Are you sure User A and User B have different sessions on the server? The CSRF token generated by the server should be valid only in one session on the server, and if there is an attempt to use it in a different session, the server should disregard the request. In other words, the session cookie and CSRF token must match. It sounds as though your User B had User A's session cookie as well as its CSRF token. It should not have had either.
Yes it is very strange. For User A and User B session is different. To get a token I have used below snippet <bean:write name="<%=subAppContextName%>" property="token" <strong>scope="session"/> I am not sure whether scope="session" makes any issue. Anyway I have tried a different method to get a token. Will see what happens. But my confusion is in Chrome it works fine getting different token always. So I am not sure whats the problem.