Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox Cookie sharing between Main window and Private window

  • 4 replies
  • 1 has this problem
  • 3 views
  • Paskiausią atsakymą parašė Mansrad

more options

Hi, In my application for a sensitive flow I have appended a sync token to resolve the CSRF issue. When I test the issue in Firefox I have logged in with User A on main Window and logged in with User B on private window. While testing I found an issue like, sync token is common for both user even though they are different user and logged in different window(main window and Private window). But when I have tried the same thing in Chrome I could not face this problem sync token is different in different window. So is it like session from main window will share the same session to private window?Is it kind of browser specific? Can you please help me to resolve the issue or do I need to modify any settings in browser? Thanks in advance.

Hi, In my application for a sensitive flow I have appended a sync token to resolve the CSRF issue. When I test the issue in Firefox I have logged in with User A on main Window and logged in with User B on private window. While testing I found an issue like, sync token is common for both user even though they are different user and logged in different window(main window and Private window). But when I have tried the same thing in Chrome I could not face this problem sync token is different in different window. So is it like session from main window will share the same session to private window?Is it kind of browser specific? Can you please help me to resolve the issue or do I need to modify any settings in browser? Thanks in advance.

All Replies (4)

more options

Cookies definitely should not be shared between the regular session windows and the private session windows; there should be two distinct cookie jars. I'm not aware of any setting that could change it.

Is there a site online that demonstrates the problem (either a live application or a stripped down test case)?

more options

Thanks for your reply :). It is not internet exposed site. I am getting sync token from server and append it in corresponding url as GET request and request is forming properly and flow works perfectly. But when I logged in Main window as User A and in Private Window logged in as User B. When I intercept the request and modify few params(instead of User B values I am providing User A's value) in request. At the time I can see User A and B's Sync token are same. So details are not getting deleted in User B's account(because the corresponding value not available in User B's. it is available in User A's account) instead when I refresh User A's main window message got deleted. it is a kind of CSRF issue to fix this issue I have tried with sync token but in sync token I am getting problem :( . When I have tried the same thing in Chrome browser sync token is different. So is it kind of browser specific? Even though if it is browser specific it should not share the same sync token for different users right? please let me know if need more info

more options

That is strange. Are you sure User A and User B have different sessions on the server? The CSRF token generated by the server should be valid only in one session on the server, and if there is an attempt to use it in a different session, the server should disregard the request. In other words, the session cookie and CSRF token must match. It sounds as though your User B had User A's session cookie as well as its CSRF token. It should not have had either.

more options

Yes it is very strange. For User A and User B session is different. To get a token I have used below snippet <bean:write name="<%=subAppContextName%>" property="token" <strong>scope="session"/> I am not sure whether scope="session" makes any issue. Anyway I have tried a different method to get a token. Will see what happens. But my confusion is in Chrome it works fine getting different token always. So I am not sure whats the problem.