This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security of tokens or cookies - Risk

CA1
Making moves

‎04-21-2023 08:17 AM

When I use Firefox each instance that I open creates one or more, typically more execution threads.

If I have two instances open, it is not unusual for there to be six or more processes running.

The risk I see is that if I authenticate to a secure website through one instance, the resulting token is available to ALL running instances of firefox. Therefore, when I exit the website I authenticated to, even if I close the browser window, that token is still available and can be used by ny of the other running instances of Firefox.

The only way to prevent this is to close ALL of the instances of Firefox, even if I want to keep the others active.

This seems ripe for exploitation.

Why cant you keep secure tokens or cookies in a separate space that is purged when the parent process is terminated? If not that, why can't you offer the option of running secured instances in a separate address space that is also purged on termination? I know it requires more memory but I would welcome the added security option.

 

 

0 Kudos
1 REPLY 1

jscher2000
Leader

‎04-22-2023 04:55 PM

If I understand your suggestion here, you would prefer Firefox to change this way or at least have this option:

Current situation: session cookies set by a site are not discarded until Firefox quits completely. With the default cookie blocking ("Total Cookie Protection"), the cookies are available to use if the same context is invoked in a different tab or window of the same type (regular vs. private).

Proposed behavior: Firefox would discard session cookies for a site when the last tab for that site (where that site is the first party, i.e., listed in the address bar) is closed. Or within some brief period of time, allowing for recovery from closing the tab accidentally.

There is an add-on that works similarly to this named Cookie AutoDelete: https://addons.mozilla.org/firefox/addon/cookie-autodelete/ (I've never tried it myself).

Does this really improve security? I don't know. If you don't want a session to be resumed, the safest thing to do is sign out of the session before closing the tab so it is closed on the server. That renders any cookie-based session token obsolete.

 

0 Kudos
Copyright © 2024 Khoros, LLC