Firefox at it again?

Yannick Béot yannick.beot at gmail.com
Wed Oct 24 15:37:18 EDT 2012 

In any case, Firefox or not, Chrome might have this behavior depending on
the configuration (especially confidentiality settings).
So this is a reality.

Either you limit the duration of the SSO session or you educate your users
to use the private mode offered by any browser (IE, Chrome and FF at least)
if they are not on their workstation.

Y.


On Wed, Oct 24, 2012 at 9:28 PM, Andrew Morgan <morgan at orst.edu> wrote:

> I was testing using Firefox on Linux.
>
> I re-tested the same steps using Firefox 16.0.1 on Windows and the
> behavior is the same.  Closing Firefox with the [X] on the window will
> retain cookies.  Closing Firefox with File > Exit does not.
>
>         Andy
>
> On Wed, 24 Oct 2012, Joel Murphy wrote:
>
> >
> > Firefox 16.0.1 on Windows and I can't reproduce this behavior. Are you
> > sure you don't have other firefox
> > windows left open?  It seems serious if it were the case.
> >
> > On 10/24/2012 2:30 PM, Andrew Morgan wrote:
> >> On Wed, 24 Oct 2012, David Bantz wrote:
> >>
> >>> My impression is that browser developers have decided that user
> >>> experience is enhanced if they restore "your" cookies active at the
> last
> >>> shut-down. Both Chrome and FireFox appear to do so.  As you note, this
> >>> makes closing the browser inadequate for session logout; in at least
> one
> >>> case at my institution caused a service to opt out of SSO as posing to
> >>> great a risk (i.e., of workstation user being able to use prior user's
> >>> session).
> >>>
> >>> David Bantz
> >>> UA OIT IAM
> >>>
> >>> On Wed, 24 Oct 2012, at 07:44 , Russell Beall <beall at usc.edu> wrote:
> >>>
> >>>> My version of Firefox just went to 16.  Now it seems they have broken
> >>>> proper cookie handling once again.
> >>>>
> >>>> I cannot get my cookies to expire correctly and I have to manually
> >>>> delete them to kill a session now.
> >>>>
> >>>> This is true even though I entered the custom settings which are
> >>>> supposed to clear cookies as well as "Active Logins" when the browser
> >>>> closes.
> >>>>
> >>>> Seems like this may just be a bug, but I thought I'd warn people that
> >>>> once again the expectation of logout upon browser close is currently
> >>>> non-functional in Firefox.
> >>>>
> >>>> This is definitely an issue for us because we have to handle the kiosk
> >>>> and shared workstation use cases for important applications (such as a
> >>>> timecard system).
> >> If you close Firefox by clicking the [X] on the window, Firefox will
> >> retain the "expires at end of session" cookies.  If you close Firefox by
> >> choosing File > Quit from the menu, Firefox will delete the "expires at
> >> end of session" cookies.
> >>
> >> That's probably not much help for our typical use cases, though.
> >>
> >>      Andy
> >> --
> >> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >>
> >>
> >
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121024/2bb577d4/attachment-0001.html

More information about the users mailing list