Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

FF keeps form data post crash/kill... how to stop this, we cant have it keeping form data in a crash (PCI/PAN data vulnerability)

more options

Hi,

We have been testing FF as we need to meet PCI requirements and from what we can tell FF will keep form data post it crashing (or killing it) in task manager.. and when restarting it loads the last page and shows data that was entered..

we fear that FF storing this data in a file... if it is and it's in plain text a hacker could get that file and if it had Credit Card data in it, well that's bad for PCI requirements.

Does it write the data to a file? Is the data in plain text? - If so: where is this kept? can we disable it? How long is it kept?

Thanks Shane Weddle

Hi, We have been testing FF as we need to meet PCI requirements and from what we can tell FF will keep form data post it crashing (or killing it) in task manager.. and when restarting it loads the last page and shows data that was entered.. we fear that FF storing this data in a file... if it is and it's in plain text a hacker could get that file and if it had Credit Card data in it, well that's bad for PCI requirements. Does it write the data to a file? Is the data in plain text? - If so: where is this kept? can we disable it? How long is it kept? Thanks Shane Weddle

All Replies (2)

more options

hi, as a starting point you could refer to http://kb.mozillazine.org/Session_Restore. do you still have particular questions after that?

more options

Take a look in your sessionstore-backups folder. You can open your current Firefox settings (AKA Firefox profile) folder using either

  • "3-bar" menu button > "?" button > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter

In the first table on the page, click the "Show Folder" button to launch the folder in Windows Explorer.

Scroll down and double-click into the sessionstore-backups folder. Your open pages, as well as a number of previously visited pages in open and closed tabs, are saved in these files:

  • recovery.js: the windows and tabs in your currently live Firefox session (or, if Firefox crashed at the last shutdown and is still closed, your last session)
  • recovery.bak: a backup copy of recovery.js
  • previous.js: the windows and tabs in your last Firefox session
  • upgrade.js-build_id: the windows and tabs in the Firefox session that was live at the time of your last update

Note: By default, Windows hides the .js extension. To ensure that you are looking at the files I mentioned, you may want to turn off that feature. This article has the steps: http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions


Firefox has a user preference which you cannot control from the server application which determines the extent to which the session history file will contain site cookies and form data in addition to the page's URL. You can experiment with this setting and issue recommendations or requirements accordingly:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste sess and pause while the list is filtered

(3) Double-click the browser.sessionstore.privacy_level preference and enter the desired value:

0 => Save extra data for all sites 1 => Save extra data for HTTP sites but not HTTPS sites 2 => Do not save extra data for any sites


You might also look at the anti-caching options in this support article to see whether HTTP headers combined with using POST to load the form (not just to submit the form), bypasses saving form data: https://developer.mozilla.org/Firefox/Releases/1.5/Using_Firefox_1.5_caching