"Save and Quit" tabs should not save session cookies of to-be-restored tabs
Categories
(Firefox :: Session Restore, defect)
Tracking
()
People
(Reporter: tal.peer, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: privacy, Whiteboard: [sg:want P2])
Comment 1•16 years ago
|
||
Comment 2•16 years ago
|
||
Comment 3•16 years ago
|
||
Comment 4•16 years ago
|
||
Comment 5•16 years ago
|
||
Comment 6•16 years ago
|
||
Comment 9•16 years ago
|
||
Comment 11•16 years ago
|
||
Comment 12•16 years ago
|
||
Comment 13•16 years ago
|
||
Comment 14•16 years ago
|
||
Comment 15•16 years ago
|
||
Comment 16•16 years ago
|
||
Comment 17•16 years ago
|
||
Comment 18•16 years ago
|
||
Comment 19•16 years ago
|
||
Comment 20•16 years ago
|
||
Comment 21•16 years ago
|
||
Comment 22•16 years ago
|
||
Comment 23•15 years ago
|
||
Comment 24•15 years ago
|
||
Comment 25•15 years ago
|
||
Comment 26•15 years ago
|
||
Comment 27•15 years ago
|
||
Comment 28•15 years ago
|
||
Comment 29•15 years ago
|
||
Comment 30•15 years ago
|
||
Comment 31•15 years ago
|
||
Comment 32•15 years ago
|
||
Updated•15 years ago
|
Comment 34•15 years ago
|
||
Comment 36•15 years ago
|
||
Comment 37•15 years ago
|
||
Comment 38•15 years ago
|
||
Comment 39•15 years ago
|
||
Comment 40•15 years ago
|
||
Comment 41•15 years ago
|
||
Comment 42•15 years ago
|
||
Comment 44•14 years ago
|
||
Comment 45•14 years ago
|
||
Comment 47•14 years ago
|
||
Comment 48•14 years ago
|
||
Comment 49•14 years ago
|
||
Comment 50•13 years ago
|
||
Comment 51•13 years ago
|
||
Comment 52•13 years ago
|
||
Comment 53•13 years ago
|
||
Comment 54•13 years ago
|
||
Comment 57•13 years ago
|
||
Comment 58•13 years ago
|
||
Comment 59•13 years ago
|
||
Comment 60•13 years ago
|
||
Comment 61•13 years ago
|
||
Comment 63•13 years ago
|
||
Comment 66•12 years ago
|
||
Comment 67•12 years ago
|
||
Comment 68•12 years ago
|
||
Comment 69•12 years ago
|
||
Comment 70•12 years ago
|
||
Comment 72•12 years ago
|
||
Comment 73•12 years ago
|
||
Comment 74•12 years ago
|
||
Comment 75•12 years ago
|
||
Comment 76•12 years ago
|
||
Comment 77•12 years ago
|
||
Comment 78•12 years ago
|
||
Comment 79•12 years ago
|
||
Comment 80•12 years ago
|
||
Reporter | ||
Comment 81•12 years ago
|
||
Comment 82•12 years ago
|
||
Comment 83•12 years ago
|
||
Comment 84•12 years ago
|
||
Comment 85•12 years ago
|
||
Comment 86•4 years ago
|
||
Like many others, I would expect when I close Firefox the non persistent cookies should be deleted.
During many years, when I've reopen the browser and previous sessions on web sites still open, I always thought those developers where careless in securing my session, but in the end it is this Firefox component.
It is true, in the past the expected behavior was, and citing from rfc2109:
4.3.1
Max-Age The default behavior is to discard the cookie when the user agent exits.
But today, as i write this comment what Nicolas says in comment 72, it is true
It's not a bug, it's a feature.
As in, rfc6265
4.1.2.2. The Max-Age Attribute
If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent).
rfc6265 obsoletes rfc2965, which obsoletes rfc2109, where many our expectations born.
But I believe this "feature" is an after thought of this component.
Citing https://wiki.mozilla.org/Session_Restore
Goals & Objectives
After a forced restart, restore the user's workspace exactly as it was.
I do not see as a goal
- after closing the browser, Ignore 4.3.1 of rfc2109, and do not delete expired cookies
and by the way, rfc6265 was created on April 2011, and by that time, the goals and feature list of this component where the same as today:
https://wiki.mozilla.org/index.php?title=Session_Restore&oldid=229938
Comment 87•4 years ago
|
||
Arguing about the RFC isn't going to help. "The default behavior..." isn't normative, and in the later RFC, "session" is never defined, and more of then than not followed by the parenthetical you quoted, "as defined by the user agent". When Firefox is configured to "restore previous session" at startup, a "session" is defined as being "until you close all tabs for the site" -- with that understanding, the documented behavior follows the RFC.
Note I said "documented" behavior. The actual behavior has been broken since 8 April 2017: even when you close the last tab on a site, the session cookie is no longer cleared on exit. Follow and vote for bug 1468220 , additional details on bug 530594 .
Description
•