Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies transfer from one user to another when switching accounts. #12

Open
MyrtoG opened this issue Nov 19, 2024 · 3 comments
Open

Cookies transfer from one user to another when switching accounts. #12

MyrtoG opened this issue Nov 19, 2024 · 3 comments
Labels
invalid This doesn't seem right

Comments

@MyrtoG
Copy link
Collaborator

MyrtoG commented Nov 19, 2024

Version

v3

Severity

Medium

Suggested Priority

Medium

Observed Behaviour

When logging with multiple user accounts and switching from one user to another, I noticed that the cookies remained from my previous session even though I'd switched accounts. Although this doesn't pose any issues at the moment, I'm worried about potential future risks. For example, shouldn't a user have the option to choose what cookies they want to use? We are legally obliged to offer a cookie option. Also, if cookies "leak" from one session to another, how safe is it for our users to use the website and what other information could potentially "leak"? I am aware of the fact that I'm using a single computer to do the testing but what if two different users booked tickets using the same machine? For example, what if they are co-workers and use the work PC? I'm attaching a video of the observed behaviour. Notice that all previous account usernames are stored, same as the passwords? Does that mean that I can log with another user's username and password? Also, notice that the number of tickets I booked from user1 account, remains when booking tickets from user2's account.

Giga.-.Cookies.leaking.Video.mov

Expected Behaviour

The username and password shouldn't be saved on the browser. This should only be an option if you are logging in with your email address and have chosen to store your username and password within that account.

Reproduction Steps

  1. Log in as user1
  2. Log out
  3. Log in as a different user

Watch video above if you need more guidance.
@MyrtoG
Copy link
Collaborator Author

MyrtoG commented Nov 19, 2024

Just to specify that I'm again using a Chrome browser for this.

@PaulNGilson
Copy link
Contributor

I don't think these are cookies... are these not just your browser storing previously entered text entries for particular fields (perhaps storing things by label) just for convenience? https://support.google.com/chrome/thread/179523826/turn-off-text-box-suggestions?hl=en has some more info on the functionality.

If there's some evidence of cookies being used in terms of HTTP headers/etc., definitely interested to see that.

@PaulNGilson
Copy link
Contributor

I think the correct term is maybe autocompletion, but could be very wrong - it's more a history functionality. I've never used it myself.

If there's a different issue here about different users on a machine "seeing" what others have typed in, despite using different login accounts, that sounds like a browser bug. If it's just two people sharing the same login... well, I think that's where Incognito/Private browsing comes in.

I think this is invalid but happy if you want to try to convince me otherwise!

@PaulNGilson PaulNGilson added the invalid This doesn't seem right label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PaulNGilson @MyrtoG