60
edits
Talk:Session Restore: Difference between revisions
→Understanding the Structure of sessionstore.js file
LukeKendall (talk | contribs) |
|||
| (24 intermediate revisions by 14 users not shown) | |||
| Line 30: | Line 30: | ||
--[[User:FrederikVds|FrederikVds]] 15:04, 6 April 2006 (PDT) | --[[User:FrederikVds|FrederikVds]] 15:04, 6 April 2006 (PDT) | ||
=== An opposing view === | |||
These suggestions seem over-designed, to me. The same logic would apply to any sensitive information stored on your computer. What about email addresses in your mail program? Financial accounting information for your company? By the same logic, all this should be encrypted too. | |||
One problem with encrypting the information is that it's unrecoverable if you forget the password, or if there's a tiny data error through hardware faults that corrupt a bit. Nor can you dive in with a text editor and delete the saved URL that's causing your browser to crash. The session data is a black box, uneditable. On the design side, I argue that it goes against the Unix philosophy of modular easily-connected components. If you want encryption, save it to an encrypted file system, or encrypt the files with PGP or something. | |||
IMHO, the file format for the saved session should be XML or even plain text. The most I'd suggest as far as security would be to avoid storing cookies or form data or passwords. Let the browser request fresh cookies, and the user re-enter their passwords etc., upon reload. | |||
--[[User:LukeKendall|LukeKendall]] 10:30, 18 July 2006 (EST) | |||
== Restoring after voluntary exit not optional == | == Restoring after voluntary exit not optional == | ||
| Line 57: | Line 66: | ||
--[[User:BillMcGonigle|BillMcGonigle]] 10:48, 21 Feb 2006 (PST) | --[[User:BillMcGonigle|BillMcGonigle]] 10:48, 21 Feb 2006 (PST) | ||
I'd say this feature is contrary to the privacy settings. I set firefox to clear private data when closing Firefox, yet this code circumvents that - when I restart, browsing history, etc, is there for all the world to see. At very least it should be switchable on/off by a user preferences option. | |||
== DOM restore vs. URL restore == | == DOM restore vs. URL restore == | ||
| Line 72: | Line 83: | ||
--[[User:Sofoz|Sofoz]] 07:01, 15 July 2006 (PDT) | --[[User:Sofoz|Sofoz]] 07:01, 15 July 2006 (PDT) | ||
I'm not sure if expired server sessions should be much of a concern. After all, the expiry would happen if you left the browser open or if you hibernated the OS. Trying to ensure fresh information in session restore case seems trying too hard and wouldn't be very consistent. | |||
--[[User:Aapo Laitinen|Aapo Laitinen]] 22:36, 18 July 2006 (PDT) | |||
== Use-cases for Session Restoration == | == Use-cases for Session Restoration == | ||
| Line 118: | Line 133: | ||
* But I think better would be to have an explicit Save Session and Restore Session function. Then the semantics can simply be to hold the session for auto reload (or prompted reload) after a crash; but normally to require an explicit Restore Session action by the user. | * But I think better would be to have an explicit Save Session and Restore Session function. Then the semantics can simply be to hold the session for auto reload (or prompted reload) after a crash; but normally to require an explicit Restore Session action by the user. | ||
[[User:LukeKendall|LukeKendall]] 10:20, 18 July 2006 (EST) | [[User:LukeKendall|LukeKendall]] 10:20, 18 July 2006 (EST) | ||
''There should be an option to disable 'cookie restore'. I don't like the feeling that after crash or shut down any body can come on pc and login to my gmail and other accounts. Yes I can disable the sessions entirely but this will remove the feature entirely. I like session restoration in Opera but in FireFox it is less secure. | |||
== Crash Recovery and Session Manager have good code == | == Crash Recovery and Session Manager have good code == | ||
| Line 159: | Line 176: | ||
What about encrypting the saved session info, so that the files containing the data are not 'in plain language', readable in notepad. After a crash, perhaps a password would be required to re-open the last known session. Without the password, it opens to about:blank. | What about encrypting the saved session info, so that the files containing the data are not 'in plain language', readable in notepad. After a crash, perhaps a password would be required to re-open the last known session. Without the password, it opens to about:blank. | ||
= Comment from an Ordinary User = | |||
There is, in some people's opinion, a serious and potentially dangerous security and privacy risk. This is caused by the fact that if the Cache is stored in RAM (a disk drive created in RAM whose contents 'disappear' when the power is removed), material to restore pages is then saved on conventional hard disk. As at Firefox version 2.0 the last viewed web pages are reproduced perfectly without a connection being re-established with the remote server. This is done when the Cache was on RAM disk and after the computer's power had been turned-off for 12 hours! | |||
Firefox's restore session ability must be loved and admired by Big Brother throughout the world. With anti-virus checkers deliberately ignoring "official" security service bugs and trojans and users becoming more aware of all the data Microsoft and its Internet Explorer saves about them, its probably inevitable that Mozilla, for whatever reason, started saving in secret information about its user's browsing habits! | |||
It is a material consideration that Firefox does not permit ordinary users the ability to turn-off this security and privacy violating feature. If this feature is genuinely for the good of Firefox users, then Firefox ought to allow users to opt out easily and, of course, effectively and permanently. The fact that no such easily available disabling facility exists in Firefox clearly suggests the personal privacy and security of Firefox users was not adequately considered by Firefox's team. Why not? | |||
A Mozilla User, 24 December 2006. | |||
{Another user (wsanders): | |||
Forget about the security and all that, it's an annoying feature since I and probably a bunch of other users normally exit by powering off the computer, exiting X/Gnome/KDE with Ctrl-Alt-Delete, or typing "init 0". All these make Firefox 2 think it has crashed, and annoy with a startup message next time it's launched. One should be able to at least disable this feature in about:config. | |||
'''never''' - Never save closed tabs in sessions and delete all closed tabs when the browser is shutdown. Also closed tabs will not be restored from saved sessions that had been saved with closed tabs. | |||
[http://sessionmanager.mozdev.org/documentation.html http://sessionmanager.mozdev.org/documentation.html] | |||
= Understanding the Structure of sessionstore.js file = | |||
Hello all, | |||
Sorry to intrude on your work, but I have a question that I just cannot find an authoritative answer on and I'm not sure that this is the appropriate place to ask, but here goes... | |||
I am in law enforcement and currently looking at a fragment of data from unallocated space that *appears* to be in the same format as the a/n file. I need to determine what the nature of the fields are. I have a pretty good idea on most of them, but not all. | |||
For example, let's say this information excerpt: | |||
"... title"Hotmail", cacheKey:0, ID:1291, scroll:"0,0"}], index:1, zoom:1, disallow:"", xultab:""....." | |||
I can see from other pages on this wiki what some of these items do/store, for example scroll stores scroll bar position, but ID, where is the 1291 obtained from? Is this the 1291st browsing instance since the browser was started? I can't tell very well from the source code, but I'm not super fluent in js. | |||
Any help would be GREATLY appreciated. If this isn't the correct location for this, please let me know where I should ask. | |||
--[[User:G-man|G-man]] 12:22, 1 May 2008 (PDT) | |||
:Have a look at http://forums.mozillazine.org/viewtopic.php?f=38&t=622036&p=10320887#p10320887" The code explains the structure, but only few attributes. | |||
== Disable session restore == | |||
I don't like the feature of Firefox that it tries to revisit or reload the webpages that caused my browser to crash. ... I desperatly want an option for NO session restore, ever. | |||
Set ''browser.sessionstore.max_resumed_crashes'' to 0. Firefox will ask after a crash which windows/tabs to restore. See more [[Session_Restore#Preferences|Preferences]] on front page. [[User:Hbbb|Hbbb]] 07:22, 27 October 2009 (UTC) | |||
== A possibly better way to secure the data == | |||
One way that Firefox could secure the session restore automatically is using a hybrid asymmetric (like RSA, DSA, or ElGamal) and symmetric (like AES, Blowfish, Twofish, 3DES, or Serpent) encryption setup like what SSL, TLS, and PGP use. | |||
All it needs to do is create a asymmetric key pair with a password encrypted "Private Key" the first time Firefox opens and then whenever you load up Firefox it quickly creates a temporary symmetric key which it uses for that session to encrypt the session restore data with and it encrypts the temporary symmetric key with your asymmetric "Public Key". So then if you ever need to restore your session you will need your private key and the password the private keys encrypted with to decrypt the sessions temporary symmetric key. | |||
With asymmetric encryption you have a key pair with 2 keys a "Private Key" and a "Public Key" and you can give everyone your public key and when you encrypt something with someones "Public Key" the only way to decrypt the data is with that persons "Private Key" and the password the private key is encrypted with (technically it is possible to create a "Private Key" that isn't encrypted with a password then all you need is the "Private Key" to decrypt the data) | |||
:I'm with LukeKendall. Full Disk Encryption, or OS-level stuff like TrueCrypt, BitLocker and FileVault are the solution to this issue; no need to try and re-solve this problem. ''{But I'm going to add some of the info from http://www.blogsdna.com/4318/how-to-get-back-firefox-35-session-restore-page.htm and on sessionstore.js, which I think is key. (err, never mind about the latter; http://support.mozilla.com/en-US/kb/Session+Restore is the place for documentation.)}'' --[[User:MrElvey|MrElvey]] 04:47, 11 June 2010 (UTC) | |||
:Oh, and there's browser.sessionstore.resume_from_crash which is a partial fix to this issue for those who feel Firefox itself needs to be more careful with this sensitive/private info. --[[User:MrElvey|MrElvey]] 05:00, 11 June 2010 (UTC) | |||
= Panorama Support = | |||
How does Session Store support Panorama? I have repeatedly seen all my panorama tabs being cleared away, and there is no way of getting them back by just restarting Firefox. | |||