Firefox 59 is not deleting session cookies on browser quit
I have a site that uses session cookies to maintain my single sign on (via SAML). When I quit Firefox and restart, that session cookie has not been deleted even though it is set to expire when the session expires. So my SAML site happily logs me back in without any credentials even after I quit and restart the browser. The only way to fix this is to manually delete the cookies. This seems like an exceptionally large security hole that should be addressed. Firefox should delete session cookies when you quit the browser.
Alle Antworten (5)
Session cookies are normally saved in the session history file that's used to restore your previous session after a crash or on demand. To set Firefox NOT to store session cookies in that file, you can make this change and test out whether this is the issue:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste sess and pause while the list is filtered
(3) Double-click the browser.sessionstore.privacy_level preference to display a dialog where you can enter the desired value, then click OK
0 = Save session cookies and form data for ALL sites (default) 1 = Save session cookies and form data ONLY for http (not https) sites 2 = Don't save session cookies and form data in the file
OK, that does "fix" it, but I don't understand how the default behavior is in anyway acceptable (or even correct based on the preference description). By default if a user logins in using something like SAML, they will never, ever, ever be logged out unless they manually delete the cookie or do the above suggestion. If Firefox isn't going to delete cookies when the session expires even when the preference says to delete cookies when the session expires, then that option should be renamed or removed.
What I do know is that this behavior means we will not be deploying or recommending Firefox for any of the people at our company. That's too bad, because it's an otherwise decent browser.
Firefox's session restore is meant to seamlessly restore your session, which can't happen without the cookies. Why do you think your previous session was getting restored -- was it an automatic crash recovery or a manual restoration or your startup setting?
Also, best practice is to log out of sensitive sites. Terminating the session on the server prevents use of stolen session cookies. Is there a site that doesn't let you log out? That seems like really bad design.
I'm guessing you've never used a single sign on site with SAML. The credentials are meant to be held for multiple sites, so no single logout can clear them. SAML is designed with the idea that the browser will actually respect the session expiration setting on a cookie AND DELETE IT. Like every other browser in existence does.
I get the session restore function, but flat out ignoring when a cookie is set to expire at the end of a session is just plain wrong. And it's worse when the settings lead you to believe that session cookies are actually deleted. At the very least there should be an option in the regular settings to disable session restore. But what should really happen is that session restore should not be enabled by default.
But I guess if Mozilla wants to call it a feature and not a bug, that's their prerogative.
To be clear: the session cookies are removed from Firefox's cookie store, but they are retained in the session history file to support the session restore feature. If your Firefox does not work that way, something strange is happening.
If you think SAML supports a change in the default setting, you could file a bug: