X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Firefox 59 is not deleting session cookies on browser quit

Kuphostiwe

I have a site that uses session cookies to maintain my single sign on (via SAML). When I quit Firefox and restart, that session cookie has not been deleted even though it is set to expire when the session expires. So my SAML site happily logs me back in without any credentials even after I quit and restart the browser. The only way to fix this is to manually delete the cookies. This seems like an exceptionally large security hole that should be addressed. Firefox should delete session cookies when you quit the browser.

I have a site that uses session cookies to maintain my single sign on (via SAML). When I quit Firefox and restart, that session cookie has not been deleted even though it is set to expire when the session expires. So my SAML site happily logs me back in without any credentials even after I quit and restart the browser. The only way to fix this is to manually delete the cookies. This seems like an exceptionally large security hole that should be addressed. Firefox should delete session cookies when you quit the browser.

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • Shockwave Flash 28.0 r0

Isisebenziso

  • Firefox 59.0.2
  • Umsebenzisi oyi-ejenti: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
  • I-URL Yokweseka: https://support.mozilla.org/1/firefox/59.0.2/Darwin/en-US/

Izandiso

  • 1Password extension (desktop app required) 4.7.0.90 (onepassword4@agilebits.com)
  • Blank New Tab 2.0.0 (blanknewtab@goodthings)
  • Cisco WebEx Extension 1.0.15 (ciscowebexstart1@cisco.com)
  • Context Plus 0.5.0 ({bb682c45-3136-4213-bf29-5f5833080bf4})
  • Facebook Container 1.3.1 (@contain-facebook)
  • Firefox Multi-Account Containers 6.0.0 (@testpilot-containers)
  • FoxReplace 2.2.0 (fox@replace.fx)
  • Inoreader Companion 4.1.6 (inodhwnfgtr463428675drebcs@jetpack)
  • OneNote Web Clipper 3.7.7 (Clipper@OneNote.com)
  • Share on Twitter 0.60.2 (jid1-SmvuJ9Cq3Cx13w@jetpack)
  • uBlock Origin 1.16.2 (uBlock0@raymondhill.net)
  • Adobe Acrobat 18.0.8 (web2pdfextension.17@acrobat.adobe.com) (Akusebenzi)
  • Xmarks Bookmark Sync 4.5.0.8 (foxmarks@kei.com) (Akusebenzi)

I-Javascript

  • incrementalGCEnabled: True

Imidwebo

  • adapterDescription:
  • adapterDeviceID: 0x1927
  • adapterDrivers:
  • adapterRAM:
  • adapterVendorID: 0x8086
  • crashGuards: []
  • driverDate:
  • driverVersion:
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'OpenGL Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OPENGL_COMPOSITING'}, {u'status': u'unavailable', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}], u'name': u'WEBRENDER'}, {u'status': u'available', u'description': u'Off Main Thread Painting', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OMTP'}]}
  • info: {u'TileHeight': 1024, u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'ApzAutoscrollInput': 1, u'AzureFallbackCanvasBackend': u'none', u'TileWidth': 1024, u'AzureCanvasAccelerated': 1, u'AzureCanvasBackend': u'skia', u'AzureContentBackend': u'skia'}
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • offMainThreadPaintEnabled: True
  • webgl1DriverExtensions: GL_ARB_blend_func_extended GL_ARB_draw_buffers_blend GL_ARB_draw_indirect GL_ARB_ES2_compatibility GL_ARB_explicit_attrib_location GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader5 GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_occlusion_query2 GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_subroutine GL_ARB_shading_language_include GL_ARB_tessellation_shader GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_vertex_attrib_64bit GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_sRGB_decode GL_APPLE_client_storage GL_APPLE_container_object_shareable GL_APPLE_flush_render GL_APPLE_object_purgeable GL_APPLE_rgb_422 GL_APPLE_row_bytes GL_APPLE_texture_range GL_ATI_texture_mirror_once GL_NV_texture_barrier
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
  • webgl1Renderer: Intel Inc. -- Intel(R) Iris(TM) Graphics 550
  • webgl1Version: 4.1 INTEL-10.32.48
  • webgl1WSIInfo: CGL
  • webgl2DriverExtensions: GL_ARB_blend_func_extended GL_ARB_draw_buffers_blend GL_ARB_draw_indirect GL_ARB_ES2_compatibility GL_ARB_explicit_attrib_location GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader5 GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_occlusion_query2 GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_subroutine GL_ARB_shading_language_include GL_ARB_tessellation_shader GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_vertex_attrib_64bit GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_EXT_debug_label GL_EXT_debug_marker GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_sRGB_decode GL_APPLE_client_storage GL_APPLE_container_object_shareable GL_APPLE_flush_render GL_APPLE_object_purgeable GL_APPLE_rgb_422 GL_APPLE_row_bytes GL_APPLE_texture_range GL_ATI_texture_mirror_once GL_NV_texture_barrier
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
  • webgl2Renderer: Intel Inc. -- Intel(R) Iris(TM) Graphics 550
  • webgl2Version: 4.1 INTEL-10.32.48
  • webgl2WSIInfo: CGL
  • windowLayerManagerRemote: True
  • windowLayerManagerType: OpenGL
  • windowUsingAdvancedLayers: False

Okuthandwayo Okulungisiwe

Misc

  • Umsebenzisi JS: Cha
  • Ukufinyeleleka: Cha
jscher2000
  • Top 10 Contributor
8687 izisombululo 71011 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Session cookies are normally saved in the session history file that's used to restore your previous session after a crash or on demand. To set Firefox NOT to store session cookies in that file, you can make this change and test out whether this is the issue:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste sess and pause while the list is filtered

(3) Double-click the browser.sessionstore.privacy_level preference to display a dialog where you can enter the desired value, then click OK

0 = Save session cookies and form data for ALL sites (default) 1 = Save session cookies and form data ONLY for http (not https) sites 2 = Don't save session cookies and form data in the file

Session cookies are normally saved in the session history file that's used to restore your previous session after a crash or on demand. To set Firefox NOT to store session cookies in that file, you can make this change and test out whether this is the issue: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''sess''' and pause while the list is filtered (3) Double-click the '''browser.sessionstore.privacy_level''' preference to display a dialog where you can enter the desired value, then click OK 0 = Save session cookies and form data for ALL sites (default) 1 = Save session cookies and form data ONLY for http (not https) sites 2 = Don't save session cookies and form data in the file

Umnikazi wombuzo

OK, that does "fix" it, but I don't understand how the default behavior is in anyway acceptable (or even correct based on the preference description). By default if a user logins in using something like SAML, they will never, ever, ever be logged out unless they manually delete the cookie or do the above suggestion. If Firefox isn't going to delete cookies when the session expires even when the preference says to delete cookies when the session expires, then that option should be renamed or removed.

What I do know is that this behavior means we will not be deploying or recommending Firefox for any of the people at our company. That's too bad, because it's an otherwise decent browser.

OK, that does "fix" it, but I don't understand how the default behavior is in anyway acceptable (or even correct based on the preference description). By default if a user logins in using something like SAML, they will never, ever, ever be logged out unless they manually delete the cookie or do the above suggestion. If Firefox isn't going to delete cookies when the session expires even when the preference says to delete cookies when the session expires, then that option should be renamed or removed. What I do know is that this behavior means we will not be deploying or recommending Firefox for any of the people at our company. That's too bad, because it's an otherwise decent browser.
jscher2000
  • Top 10 Contributor
8687 izisombululo 71011 izimpendulo
Kuphostiwe

Firefox's session restore is meant to seamlessly restore your session, which can't happen without the cookies. Why do you think your previous session was getting restored -- was it an automatic crash recovery or a manual restoration or your startup setting?

Also, best practice is to log out of sensitive sites. Terminating the session on the server prevents use of stolen session cookies. Is there a site that doesn't let you log out? That seems like really bad design.

Firefox's session restore is meant to seamlessly restore your session, which can't happen without the cookies. Why do you think your previous session was getting restored -- was it an automatic crash recovery or a manual restoration or your startup setting? Also, best practice is to log out of sensitive sites. Terminating the session on the server prevents use of stolen session cookies. Is there a site that doesn't let you log out? That seems like really bad design.

Umnikazi wombuzo

I'm guessing you've never used a single sign on site with SAML. The credentials are meant to be held for multiple sites, so no single logout can clear them. SAML is designed with the idea that the browser will actually respect the session expiration setting on a cookie AND DELETE IT. Like every other browser in existence does.

I get the session restore function, but flat out ignoring when a cookie is set to expire at the end of a session is just plain wrong. And it's worse when the settings lead you to believe that session cookies are actually deleted. At the very least there should be an option in the regular settings to disable session restore. But what should really happen is that session restore should not be enabled by default.

But I guess if Mozilla wants to call it a feature and not a bug, that's their prerogative.

I'm guessing you've never used a single sign on site with SAML. The credentials are meant to be held for multiple sites, so no single logout can clear them. SAML is designed with the idea that the browser will actually respect the session expiration setting on a cookie AND DELETE IT. Like every other browser in existence does. I get the session restore function, but flat out ignoring when a cookie is set to expire at the end of a session is just plain wrong. And it's worse when the settings lead you to believe that session cookies are actually deleted. At the very least there should be an option in the regular settings to disable session restore. But what should really happen is that session restore should not be enabled by default. But I guess if Mozilla wants to call it a feature and not a bug, that's their prerogative.
jscher2000
  • Top 10 Contributor
8687 izisombululo 71011 izimpendulo
Kuphostiwe

To be clear: the session cookies are removed from Firefox's cookie store, but they are retained in the session history file to support the session restore feature. If your Firefox does not work that way, something strange is happening.

If you think SAML supports a change in the default setting, you could file a bug:

https://bugzilla.mozilla.org/enter_bug.cgi

To be clear: the session cookies are removed from Firefox's cookie store, but they are retained in the session history file to support the session restore feature. If your Firefox does not work that way, something strange is happening. If you think SAML supports a change in the default setting, you could file a bug: https://bugzilla.mozilla.org/enter_bug.cgi