4

In a website I'm building when I login, close FireFox, open FireFox and try to go to the website again I must login again (as expected) BUT if I select "Restore Previous Session" I am logged in again. I consider this a security threat as many users expect to be logged out after the browser is closed. I check for a valid session by

session_start();
if(isset($_SESSION['loggedIn']))

and if this is true the user is logged in.

In I.E. I wasn't able to reproduce this. How can this be fixed?

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 1
    Here is a related post about Firefox not killing cookies between closes: http://stackoverflow.com/questions/777767/firefox-session-cookies – Eric G Mar 05 '13 at 03:23
  • I think it is good that we can restore session cookies, users should have the choice to restore the website session. I would not want be forced to log in again when I close the browser or the browser crashed... – baptx Aug 02 '19 at 10:29

4 Answers4

5

Set PHP's session.cookie_lifetime=0. With a value of zero the session token will be destroyed when the browser closes. session.gc_maxlifetime will still destroy the session after a period of time.

rook
  • 46,916
  • 10
  • 92
  • 181
2

This a long standing security bug of Firefox which is at least around since 2008. For example see https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c48 ("Save and Quit tabs should not save session cookies of to-be-restored tabs").

Further details and a workaround are also described at https://support.mozilla.org/de/questions/938865 in "Firefox doesn't delete cookies on exit. When will it do?".

The workaround uses about:config to set

  • browser.sessionstore.privacy_level = 1 or 2
  • browser.sessionstore.privacy_level_deferred = 1 or 2

as described in comment 48 of the bug report above.

Frank Breitling
  • 121
  • 3
1

It's not a bug, it's a feature.

Firefox' session restore feature, as its name says, is supposed to… restore my session. The whole session. Including the state of tabs, their form data… Everything. And this is great. This is the goal of session restore.

Mac OS X Mountain Lion's applications are now stateful, like on the iPad. The apps now have their state saved at quit and restored at relaunch. This behaviour of Mac applications is now recommended by Apple's guidelines for developers.

Computer systems will behave more and more like this, and this is a good move. Better get used to it. This can be somewhat disturbing at the beginning, because of our habits. But for newcomers, it is more natural. It is always a good idea to think of the paper analogy. Let's say I am writing in my notebook, I am in the middle of a sentence, and I suddenly close my notebook and I sleep. Without doing any “Save” action, without even thinking of a “Save” action. Three days later, when I open again my notebook, I find the page exactly as I had left it. This user experience is good. In computer software, the same user experience is good too, and I expect it.

Nicolas Barbulesco
  • 148
  • 5
  • But I.E. has "Reopen last browsing session" and it doesn't seem to remember logged in sessions. – Celeritas Mar 04 '13 at 21:53
  • 1
    So you're saying it's not good to have a user enter their password more than once and to always keep the session on the browser/computer? – Celeritas Mar 04 '13 at 22:09
  • 1
    Depends what you mean by good for security or good for usability. This is an area where they conflict. – Rory Alsop Mar 04 '13 at 23:28
  • @Celeritas —  When I check a box named *Remember*, I want the site to… remember. As always, security harms usability and usability harms security. So _in fine_ the right thing to do depends on the situation and on the user's choice. Is the system the entry control of a CIA bunker or a daily life Web site ? Does the user trust his own computer in his own house ? It is good to let the user make his/her informed choice and to respect it. Hence the *Remember* check box, and the security explanation next to it. Thus, if the user is in a fragile situation, s/he can choose not to be remembered. – Nicolas Barbulesco Mar 05 '13 at 14:33
  • 1
    @NicolasBarbulesco exactly. If the "remember me" check box is not checked then the session will still be remembered in Firefox. – Celeritas Mar 05 '13 at 17:44
  • In general I strongly believe analogies are way over used in computer science and security. Often times they are used to falsely justify a point by choosing an arbitrary object that the point holds true for. For example it seems out of the blue that a website should be like a piece of paper, therefore anyone can continue where the previous person left off. – Celeritas Mar 05 '13 at 17:52
  • @Celeritas —  “If the "remember me" check box is not checked then the session will still be remembered in Firefox.” This is because you did not set a cookie duration, no ? You can set a cookie duration if you want the login to expire. For instance 24 h. If I were a user of your site, I would probably not like that, but I think that would achieve the goal you want. – Nicolas Barbulesco Mar 06 '13 at 02:39
1

Does this happen if you set FireFox to destroy all cookies on exit? There are some addons out there that will help you get better control of cookies and when to destroy. This may help ensure the cookies are destroyed in between launches.

I am not sure if any of the FireFox Privacy Settings will do this built-in without an addon.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • I logged in to the site, closed and reopened FireFox, then deleted the individual cookies associated with the site. When I navigated back to the site it said I wasn't logged in - so that's expected. – Celeritas Mar 05 '13 at 17:57
  • I haven't gone through all the addons available, but I think one or two of them has an option to delete all cookies when you close the window or maybe even tab. If not, it may be possible to write such an extension. Though, for your own app if you can stop at the server side that would be best I would think. – Eric G Mar 05 '13 at 19:45