Logins not cleared after a hard power restart with "Delete cookies and site data when Firefox is closed"
Categories
(Firefox :: Session Restore, enhancement)
Tracking
()
People
(Reporter: mauro.casonato2, Unassigned)
References
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
- Set up Firefox with the option "Restore previous session" enabled.
- Sign in to several websites.
- HARD POWER OFF the system.
- Restart the system
- Restart Firefox; note that all previous logins are still available. This is very dangerous because this is exactly what happen when a PC is stolen.
The problem does not occur if Firefox is restarted gracefully.
Firefox 89.0 (64-bit)
Ubuntu 20.04.2 LTS
PC Lenovo ThinkPad P17 Gen 1
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Do you have additional settings to clear cookies on exit? Or is this only on certain websites? Generally logins persist across restarts.
Comment 2•3 years ago
|
||
I'm thinking of the "Delete cookies and site data when Firefox is closed" option.
Updated•3 years ago
|
Reporter | ||
Comment 3•3 years ago
|
||
Yes correct, the "Delete cookies and site data when Firefox is closed" option is enabled. However from a security point of view, this should be a default.
Comment 4•3 years ago
|
||
Thanks for the clarification. I'm not an expert on this code, but I would expect that this is the intended behavior given that Firefox was never closed. Handling this situation better would probably require something like letting the cookies get saved to disk, which would be slightly different, so this is kind of like a feature request.
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Since Firefox is not closed gracefully, there is not much we can do at shutdown phase.
However, maybe we can try to clear cookies at the beginning of restoring sessions when Delete cookies and site data when Firefox is closed
is enabled.
I'd like to switch the component to Session Restore
and see what they think about this.
Comment 6•3 years ago
|
||
In fact, restoring your session to a working state after a crash was an explicit goal of the sessionrestore feature, and "to a working state" requires keeping the cookies so that you stay logged in.
"when FIrefox is closed" means when it gracefully exits and gets to do its shutdown routines. A crash is not "closing" the browser, it's an abrupt termination.
Comment 7•3 years ago
|
||
However, maybe we can try to clear cookies at the beginning of restoring sessions when Delete cookies and site data when Firefox is closed is enabled.
I don't think we should. If you don't want session restore after a crash then turn off session restore. There's no point in having a broken session restore by default and it can already be disabled. The current behavior was an intentional choice years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=345345 If we're going to change this behavior it will require design discussion and even advocacy, which is not conducted in a bug but rather in our forums, chat, and mailing lists.
Updated•3 years ago
|
Description
•