Something interesting that may be a security issue

I fired up the VM on which I have Manjaro KDE Unstable.

I then opened firefox and loaded this forum website, expecting to have to login, but I appear to be already logged in.

Can anyone offer any explanation for this behaviour?

I had already shut down the instance of Firefox, on the host, on which I was logged in to this site, but had not logged out. But I can’t see how that would have had any affect, unless some sort of link hijack occurred.

EDIT: Sorry got my VMs mixed up. I had already logged in to the site via this VM, the privacy/Security issue appears to be the cookie NEVER Expires.

I had not noticed this before as I usually explicitly delete cookies with Cookie Auto delete.

There appears to be no way to not have a permanent cookie set when logging in to this site.

Shared profile?

Other utilities running like ‘profile-sync-deamon’ ?

No, don’t use it.

You were logged in last time you shut down the VM.

1 Like

No, this is actually the first time I’ve 'logged ’ in to the site via the VM. I only just realised the other day that it’s possible to copy/paste between the host and the client. My password for the site is a 32 character alphanumeric string, so copy/paste is the only

Besides the login would have timed out at the server, ages ago.

I also don’t use any remember me options.

So it seems like strange behaviour to me.

The only constants are the VM (usng QEMU) is on the same machine I normally use, and I use a VPN, so the IP address of exit node is the same, for both the VM and the host, and that’s what the site sees

You don’t automagically create a cookie on the VM web browser to get automagically connected.

1 Like

You are correct.

I’ve been going through this, and yes I have logged in to this site from this VM. So the privacy//security issue is the cookie… it never expires.

The only reason I’ve never noticed this before is I explicity delete all cookies when I close firefox, but did not set this instance of firefox on this instance of Manjaro to delete cookie when firefox is closed.

As I cannot find any where that one can set the cookie time out ie; choose to be remembered or forgotten, I assume this is something not under the control of the forum adminstrators, but is a feature, not a bug included by the forum template used by Manjaro Forum.

The only other option on this site is to explicitly log out, but the logout option is hidden.

Here, from the forum:

Here, from anywhere you’re logged in:

Yeah, that’s right it’s not obvious, you have to search for it.

If it is a security issue - that depends - as you suggest it is more a feature.

And yes from a security point of view - it opens for abuse.

It is much like the username-password storage for logins in a browser.

It could be a token / refresh token scenario where the app keeps the user logged in and if token is expired the refresh token is used.

I use the same flow for a company CRM I work with - backend token is valid for a week - if token expires - refresh token is used - if the user does not use the app for more than 2 weeks they need to login - and local storage is cleared.

Then they have saved their credentials in the browser - and bam - they are back in.

I have tried various settings - the current seems to be widely accepted.

This is perfect like that. This is a Linux distro forum, not a bank account website.

Even today, there are users who insist on using an unorthadox Windows-centric method to log out of any website… (the  X  at the top/right of the browser window).

My initial thought, when I went to the site on the VM, was that there was some sort of IP highjack, as the VM is on the same host as I use for accessing this site, that is the ‘may be a security issue’, the log out thing was just a side issue that came up.

As it turned out it was neither, it was just the the expiry time on the cookie, combined with how I shut down the VM.

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.