Use of Primary Password has been changed!
Primary Password is suppose to be prompted "once for each Firefox session, when Firefox needs access to your stored passwords."
In the latest 112.0.2 (64-bit) release, this feature no longer works. When I restart a new Firefox session, it immediately accesses webpages and accounts and automatically logs you in, without ever confirming the Primary Password.
Even when FF does ask you for the Primary Password, if you click on x and ignore the request, FF happily goes on and logs in to all secure sites without prompting a password.
This is a serious security problem! If I shutdown a laptop or quit out of Firefox, I don't want someone else to be able to power up the computer, launch the browser and have automatic access to all of my accounts, email, etc.
Thanks for looking into this and fixing it. Keep up the good work.
All Replies (2)
That would normally only happen if have have chosen that the website remembers you and keep a session cookie, either via an allow cookie exception if you let cookies expire if you close Firefox or possibly via session restore that saves the cookies for open tabs. If you cancel a PP prompt then that would lock the logins automatically and opening about:logins should give you a PP prompt.
lincolnhu said
Even when FF does ask you for the Primary Password, if you click on x and ignore the request, FF happily goes on and logs in to all secure sites without prompting a password.
When you cancel the Primary Password dialog, Firefox should not fill login forms. If you can get into sites without filling a login form after that, it's possible that you already had a live session on the site that you didn't sign out after your previous visit. When Firefox visits a site, it presents any cookies previously set by the site. If one of those cookies has a token that matches up with a live session, the site pops you back into that session. To test the Primary Password more conclusively, sign out of the site, return to the login form, and see whether Firefox will fill the login form without you properly entering your Primary Password.