cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security of tokens or cookies - Risk

CA1
Making moves

When I use Firefox each instance that I open creates one or more, typically more execution threads.

If I have two instances open, it is not unusual for there to be six or more processes running.

The risk I see is that if I authenticate to a secure website through one instance, the resulting token is available to ALL running instances of firefox. Therefore, when I exit the website I authenticated to, even if I close the browser window, that token is still available and can be used by ny of the other running instances of Firefox.

The only way to prevent this is to close ALL of the instances of Firefox, even if I want to keep the others active.

This seems ripe for exploitation.

Why cant you keep secure tokens or cookies in a separate space that is purged when the parent process is terminated? If not that, why can't you offer the option of running secured instances in a separate address space that is also purged on termination? I know it requires more memory but I would welcome the added security option.

 

 

1 REPLY 1

jscher2000
Leader

If I understand your suggestion here, you would prefer Firefox to change this way or at least have this option:

Current situation: session cookies set by a site are not discarded until Firefox quits completely. With the default cookie blocking ("Total Cookie Protection"), the cookies are available to use if the same context is invoked in a different tab or window of the same type (regular vs. private).

Proposed behavior: Firefox would discard session cookies for a site when the last tab for that site (where that site is the first party, i.e., listed in the address bar) is closed. Or within some brief period of time, allowing for recovery from closing the tab accidentally.

There is an add-on that works similarly to this named Cookie AutoDelete: https://addons.mozilla.org/firefox/addon/cookie-autodelete/ (I've never tried it myself).

Does this really improve security? I don't know. If you don't want a session to be resumed, the safest thing to do is sign out of the session before closing the tab so it is closed on the server. That renders any cookie-based session token obsolete.