Closed Bug 1468220 Opened 6 years ago Closed 3 years ago

Session cookie is not removed after closing the tab and exiting the browser

Categories

(Firefox :: Session Restore, defect, P3)

Product:
Firefox
Component:
Session Restore
Version:
61 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 530594

People

(Reporter: egil, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

session-cookie.html
(deleted), text/html
Details
Attached file session-cookie.html (deleted) —
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20171024165158 Steps to reproduce: 1. Open attached session-cookie.html or http://f.enux.pl/_tests/session-cookie.html 2. Close tab with session-cookie.html. 3. Exit Firefox (CTRL+SHIFT+Q). 4. Open new tab and open session-cookie.html. Actual results: Start cookies: test_session_cookie=123 sessionStorage item: null Notice how the session cookie is preserved but an item in `sessionStorage` is not. Also note that the `sessionStorage` is removed even when the tab is closed (without closing Firefox). Expected results: Start cookies: sessionStorage item: null I can understand that cookie would be preserved if I restarted the Firefox. But I closed the tab and then closed Firefox. I haven't restored the tab! I just visited the same URL.
PS: Contrary to the user-agent I used FF dev 61 for testing: "buildID": "20180607135512", "userAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0",
Related with (but different case): Bug 443354 - "Save and Quit" tabs should not save session cookies of to-be-restored tabs
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Build ID:20180614100146 I could not reproduce the issue on Windows 7 x64 using the latest Nightly 62.0a1 and Firefox Beta 61.0b13 following the STR from description. But I managed to reproduce it using the following STR: 1.Launch Firefox 2.Open http://f.enux.pl/_tests/session-cookie.html in a new tab 3.Close tab with session-cookie.html 4.Exit Firefox (CTRL+SHIFT+Q) 5.Reopen Firefox 6.Click "Restore Previous Session" 7.Open http://f.enux.pl/_tests/session-cookie.html in a new tab [Actual result]: Start cookies: test_session_cookie=123 sessionStorage item: null I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Status: UNCONFIRMED → NEW
Component: Untriaged → Session Restore
Ever confirmed: true
Original steps still work for me on Nightly: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 1. Launch Firefox(*). 2. Open attached session-cookie.html or http://f.enux.pl/_tests/session-cookie.html 3. Close tab with session-cookie.html. 4. Exit Firefox (CTRL+SHIFT+Q). 5. Reopen Firefox. 6. Open http://f.enux.pl/_tests/session-cookie.html in a new tab Movie: https://www.youtube.com/upload (*) Some notes on my FF Nightly installation: * I'm using a fresh profile for Nightly (created just before doing the test). * Launching with params: `-P Nightly -no-remote` (if that is important). * I have some pinned tabs, but form OTHER domains (if that is important).
Sorry :-). Link to the movie: https://youtu.be/-lS3-Z0j6Fg
I've re-tested and yes -- pinned tabs seem to trigger session restore automatically. Even if you have a blank page (speed dial) pinned.
Cheers for that, can reproduce
Blocks: ss-reliability
Priority: -- → P3

From the linked issue (https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c29):

At the very least can we get rid of the sessions saved for sites with no open tabs?

We already do that. If that's not what you see, please file a new bug.

As far as I can tell, Firefox has stopped "doing that", this is the "new bug", and it hasn't been updated in 3 years.

It's a security issue. Many sites tell you "close this tab then quit the browser" to ensure that you're logged out, which seems like reasonable advice, but Firefox doesn't actually do the thing that the user-agent is supposed to do -- the thing that the above quote says it does.

Dale, can we please get a higher priority / security-relevant flag on this, so it actually gets some attention from the team?

Flags: needinfo?(dharvey)

As I commented on bug 530594 , I was able to isolate the issue to Firefox 55, to a change made between the Nightly builds of 2017-04-07 and 08. (So, please also flag the issue as a regression, because this used to work correctly.)

Hey Johann, do you think this needs security triage / flags?

Flags: needinfo?(dharvey) → needinfo?(jhofmann)

(In reply to James B from comment #9)

As I commented on bug 530594 , I was able to isolate the issue to Firefox 55, to a change made between the Nightly builds of 2017-04-07 and 08. (So, please also flag the issue as a regression, because this used to work correctly.)

Thanks, James. The regression range is a big help!

Here is the changelog between Nightly builds 2017-04-07 and 2017-04-08:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=10ea10d9993c9701e5525928257a589dea2c05d8&tochange=35c7be9c2db288d1d449e3cc586c4164d642c5fd

In this changelog, bug 912717 ("Don't let SessionCookie collection jank the chrome process") looks like it me related.

Regressed by: 912717

I'm reading down from the top of that bug and almost immediately I see suggestions like "recursively walking history entries is expensive, we should cache it"... it's like being in the audience at the beginning of a horror film -- don't go in there, cache invalidation is One Of The Hard Problems!

At the end, they link to bug 1354523, which has had no activity for 4 years. "We should write some tests, I'll get to it Soon". Man, I've said that sentence a few too many times. Anyway, I voted for it, and I'll leave a comment over there pointing back to here.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: