Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Nummer anzurufen, sie per SMS zu kontaktieren oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Learn More

We have a serious issue with sensitive data.How can I completely disable sessionrestore.js file in network computers with out doing manually each machine ?

  • 11 Antworten
  • 2 haben dieses Problem
  • 6 Aufrufe
  • Letzte Antwort von the-edmeister

more options

Hi ,

Currently in our organization use firefox browser as a default browser. PCI auditors found sensitive data storing in our machines System Volume Information folder. In that folder contains sessionrestore.js backup files, which stored as windows backup process each and every day. So now we need to disable sessionrestore.js file in each and every machine. Also we can not do manually set never remember history option in each and very machine in the network. So is there any solution?

.

Edit put space after period at end of sentences as it was creating links.

Hi , Currently in our organization use firefox browser as a default browser. PCI auditors found sensitive data storing in our machines System Volume Information folder. In that folder contains sessionrestore.js backup files, which stored as windows backup process each and every day. So now we need to disable sessionrestore.js file in each and every machine. Also we can not do manually set never remember history option in each and very machine in the network. So is there any solution? . Edit put space after period at end of sentences as it was creating links.

Geändert am von James

Alle Antworten (11)

more options

Portable version of FF could solve this issue by personalizing Data\Profile directory for each user. "Data" directory can be placed on secured store (whith disabled archiving and indexing by Windows) and configured to use by FF through link-files (lnk).

more options

"... which stored as windows backup process each and every day." Exclude those files from the Windows backup process?

more options

What data in the sessionstore.js file in particular is the problem?


You can set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore in the sessionstore.js file. The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.

more options

>Exclude those files from the Windows backup process?

Not exactly.

For example to manage every individual user profile data ("Data" directory) as one thing place each into one directory, i.e. "User Data".

(1) Exlude those files from indexing, i.e "User Data" directory. Set additional directory attribute "Allow indexing..." of "User Data" with inheritance to all nested directories and files. Also exclude "User Data" directory from the Windows Indexing Service and/or Windows Search Engine and other search engines, f.e. Google Desktop Search. Check after reindexing "System Volume Information" directory (here is how to get access to it).

(2) If the auditor allows keep sensetive user data in the secured backups include "User Data" directory into backup process as desired. If the auditor disallows then exlude "User Data" from the backup process: f.e. if you are using Windows Archiving Service include "User Data" into the "Files exclusion" list.

(3) Also look at System Volume Information

more options

Sorry you're having that problem, but this forum isn't intended for providing support for "organizations" - it's for end user support. Not saying that we don't want to help you, but your organization isn't using Firefox in a manner that we are familiar with, and not "as supplied by Mozilla".

You answered my obvious solution, to just not include that file in the backup routine. But you didn't respond to what cor-el posted.

What about changing browser.sessionstore.privacy_level as suggested?

How about disabling the sessionstore feature altogether? Your users may not be happy, but that should eliminate your auditor's concerns. http://kb.mozillazine.org/Browser.sessionstore.enabled

more options

Again not really the subjects we discuss here but Firefox deployments can make changes to all of your machines.

You possibly should also consider using Firefox ESR and seeking advice in their mailing list

more options

.ini and .js files are among the file types that are stored in the System Volume folder as part of an (automatic) System Restore point and there is probably not much that can be done to prevent this. If Session Restore is disabled altogether then it is also not possible to undo closed tabs and windows or restart Firefox when necessary.

more options

Hi Cor-el,

Thank you so much for your suggestions. Setting the browser.sessionstore.privacy_level 2 is really worked for me. Also I can set never remember history option too.But the problem is I have to configure it each any every machine manually.

Recreation Process I have found following article regarding this matter. Reference http://ceriksen.com/2012/07/26/firefox-sessionstore-js-and-privacy So this bug can generate anyone following this methodology.

Geändert am von sampath_sl

more options

After reading this - http://ceriksen.com/2012/07/26/firefox-sessionstore-js-and-privacy/ - that does seem to be a large security issue, assuming that the Private information in the file mentioned at the end of that article is stiil valid - article is dated July 26, 2012 .

Credit Card number, and Address, along with the First and Last Names are in there.

I don't have session restore (or history) activated in the only Profile that I use for banking or online purchases, so I can't test it myself.

more options

Hi the-edmeister,

Thank you so much for your suggestions. The latest version of Firefox also has this issue too. So someone can steal this kind of information using a malicious program.

Also I have checked the browser.sessionstore.max_tabs_undo and browser.sessionstore.resume_from_crash options.They didn't work out for me.

Geändert am von sampath_sl

more options

I thought the purpose of this thread was about the sessionstore.js file being backed up and your auditor finding fault with that happening?

And now you're gonna "cry wolf" over the remote possibility of a malicious program stealing data?

Too much of a stretch for my tastes, "color me gone".