BUG? Firefox 58 keeps user logged into FreeNAS even if PC rebooted

[Duderino2020]

Hello all,
If I log into FreeNAS WebGUI via Firefox, I can close the browser, re-open it and I will be able to open that TAB again and I will already be logged in to FreeNAS with full permissions of that user. No need to enter User/Password. Firefox has not been set to remember the login info. I double checked and those credentials have not been saved. I was able to reproduce this on all of my other PCs.
Firefox was set to "Show your windows and tabs from last time" under OPTIONS. However, even if I disable this, shut everything down, reboot the PC, reopen Firefox and type the IP address, I can use the GUI without entering any U and P credentials. I've tried clearing the web cache and history, purged on filled forms, passwords, shut off all Add-Ons, etc. I even created a new clean profile using Firefox's profile manager to try clean browser tests. In short, I've tested this in every way I could think of and I can replicate it every time.

I tested a long time frame too. I shut the PCs off, went out for over 2 hours meeting clients, returned and turned them on and was still be able to access FreeNAS without logging in because the previous user (root or user I created) that was logged in still works.

I'm not sure if this is a known issue or just me. I also don't know if this is a Firefox issue or a FreeNAS issue, though I suspect this is a Firefox thing. Even so, if it is, I believe FreeNAS should have some sort of way to prevent it, right? I only use Firefox and currently I'm using version 58. This also happened with version 57 too. I don't know if this happens with Chrome, Edge, etc.

Misc. details:
Yes, I searched the forums here. I found nothing.
All PCs running Windows 10 Pro.
I'm connecting to my FreeNAS box via HTTP only. Not using HTTPS yet. Therefore, I've only tested this under HTTP.
All browsers are Firefox 58 and using the same add-ons.
Add-ons are: Disable WebRTC, NoScript, OneTab, UBlock Origin
All OS and all software up to date.
I tested on both FreeNAS 11.1 and 11.1 U1.
My FreeNAS install is basically a clean install using defaults. I've only added some users and datasets. Nothing more complex.

 

[danb35]

I also don't know if this is a Firefox issue or a FreeNAS issue, though I suspect this is a Firefox thing.

I suspect it's a FreeNAS thing. If the web GUI doesn't have a login timeout (which I don't think it does), it would cause the behavior you're seeing.

 

[Duderino2020]

I suspect it's a FreeNAS thing. If the web GUI doesn't have a login timeout (which I don't think it does), it would cause the behavior you're seeing.

OK. That was my thinking as well. Glad to see it's not just me. I was searching the user's guide, online, etc. for logout session timer and found nothing. I clicked through every menu. I'm actually very shocked this feature is missing. Has it always been that way? Security-wise, it seems insane.

 

[dlavigne]

OK. That was my thinking as well. Glad to see it's not just me. I was searching the user's guide, online, etc. for logout session timer and found nothing. I clicked through every menu. I'm actually very shocked this feature is missing. Has it always been that way? Security-wise, it seems insane.

Did you log into the old or the new UI?

 

[Duderino2020]

Did you log into the old or the new UI?

I used Coke Classic. lol The original UI. I haven't used the new GUI on my real system yet. I played with it under VM just to check it out. I know it's not ready for prime time.

 

[Redcoat]

My two installs behave as if there is a ~24-hour login timeout (with Firefox).

 

[Linkman]

I'm using Firefox 57 on Ubuntu, FreeNAS 11.1 and I definitely get timed out on the Web UI, and need to login again. Never changed any time out settings (are there any?) or use any password or login "savers" in the browser.

 

[Arwen]

I think it's cookies.

 

[Duderino2020]

I think it's cookies.

I don't think that's the case for me. I purged FF and even created a clean profile. Even tried it under a clean Windows VMWARE VM and on another laptop that's never connected to my FreeNAS box before. I'm mystified for sure. Still, I'm surprised there is no logout timer option to force a disconnect. pfSense has it and that's FreeBSD.

 

[danb35]

I'm surprised there is no logout timer option to force a disconnect. pfSense has it and that's FreeBSD.

It has nothing to do with the base OS; it's all a matter of how the web GUI is coded. The pfSense web GUI includes one (though it's quite a long one); it's as yet unclear whether FreeNAS does.

 

[Duderino2020]

It has nothing to do with the base OS; it's all a matter of how the web GUI is coded. The pfSense web GUI includes one (though it's quite a long one); it's as yet unclear whether FreeNAS does.

Mmmm, yes. You are right and I should have communicated my thoughts more clearly. FreeBSD doesn't have a GUI and the brilliant people behind projects like pfSense and FreeNAS create their own GUI for their project. I just meant that pfSense has it/does it...ergo, I assume it must be possible for FreeNAS to duplicate this.

UNRELATED - danb35...what is your avatar? I've been trying so hard to figure it out!? I don't have a clue.

 

[danb35]

danb35...what is your avatar?

http://babylon5.wikia.com/wiki/Kosh

 

[Linkman]

Damn your link to that wikia! Now I need to find my Babylon 5 DVDs. And why haven't I ripped them to the media server yet?

 

[Duderino2020]

http://babylon5.wikia.com/wiki/Kosh

Thanks! Nice to have that itch, scratched!