severe firefox security breach? doesnt require master password
I have firefox set with a master password. When I start up the computer and firefox, it opens the browser the way I had it saved when I shut down. This includes sites requiring passwords. They all open with no request for passwords. Then randomly at some later point I am asked for the master password. Shouldn't it ask for the master password first, before opening protected sites?
Isisombululo esikhethiwe
This is a little bit complicated.
If you allow sites to set persistent cookies to keep you logged in between sessions, Firefox never needs to use your saved password; you are already in on every visit for as long as Firefox keeps the cookie (weeks, months, or years depending on what the site specified).
Alternately, if you limit sites to setting session cookies, after you shut down Firefox, those cookies normally are deleted. But there's an exception for the windows and tabs you left open.
When you restore a previous session, Firefox reinstates the cookies from that session, including the ones that kept you logged in to sites. Secure (HTTPS) sites are handled differently depending on when you restore your session:
- When Firefox is set to start up automatically with previous windows and tabs: secure session cookies are maintained and reinstated. Your saved login is not needed and not used.
- When Firefox is set to start up with a home page, and you have the option to restore your previous session manually: secure session cookies are discarded. You will need to login again.
So if you either (1) allow sites to set persistent cookies, or (2) have Firefox set to restore your previous session, and you did not log out, it would be normal that no login is required when revisiting secure sites.
To make sure this doesn't happen, you have a few different options:
(1) Use only session cookies AND change some hidden settings to make sure they are not saved when your session is restored; or
(2) Clear all cookies at shutdown.
I can list steps for those if you're interested.
Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0All Replies (5)
When you closed down Firefox, did you log-out of all the logged-in web pages? If not, then FF is still logged in to those sites. You should log out of each site.
thanks for the suggestion but in my opinion, that is a security breach. how many people will remember to first log out of all the open windows before shutting down? if I shut down my email window and then open it up again even a minute later, it makes me log in, even though I never logged out. if I shut down FF completely and then come back in a day later, my email window is open without entering any password, the regular one or the master one. FF should require the master password every time you start it up.
Isisombululo Esikhethiwe
This is a little bit complicated.
If you allow sites to set persistent cookies to keep you logged in between sessions, Firefox never needs to use your saved password; you are already in on every visit for as long as Firefox keeps the cookie (weeks, months, or years depending on what the site specified).
Alternately, if you limit sites to setting session cookies, after you shut down Firefox, those cookies normally are deleted. But there's an exception for the windows and tabs you left open.
When you restore a previous session, Firefox reinstates the cookies from that session, including the ones that kept you logged in to sites. Secure (HTTPS) sites are handled differently depending on when you restore your session:
- When Firefox is set to start up automatically with previous windows and tabs: secure session cookies are maintained and reinstated. Your saved login is not needed and not used.
- When Firefox is set to start up with a home page, and you have the option to restore your previous session manually: secure session cookies are discarded. You will need to login again.
So if you either (1) allow sites to set persistent cookies, or (2) have Firefox set to restore your previous session, and you did not log out, it would be normal that no login is required when revisiting secure sites.
To make sure this doesn't happen, you have a few different options:
(1) Use only session cookies AND change some hidden settings to make sure they are not saved when your session is restored; or
(2) Clear all cookies at shutdown.
I can list steps for those if you're interested.
thank you. now that you've explained it, it makes sense. I know how to make the necessary changes.
You can set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore.
The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.