Another Great Drug War Moment

From Radley Balko:

In February, I wrote the following about a drug raid in Missouri:

SWAT team breaks into home, fires seven rounds at family’s pit bull and corgi (?!) as a seven-year-old looks on.

They found a “small amount” of marijuana, enough for a misdemeanor charge. The parents were then charged with child endangerment.

So smoking pot = “child endangerment.” Storming a home with guns, then firing bullets into the family pets as a child looks on = necessary police procedures to ensure everyone’s safety.

Just so we’re clear.

Now there’s video, which you can watch below. It’s horrifying, but I’d urge you to watch it, and to send it to the drug warriors in your life. This is the blunt-end result of all the war imagery and militaristic rhetoric politicians have been spewing for the last 30 years—cops dressed like soldiers, barreling through the front door middle of the night, slaughtering the family pets, filling the house with bullets in the presence of children, then having the audacity to charge the parents with endangering their own kid…

There are 100-150 of these raids every day in America, the vast, vast majority like this one, to serve a warrant for a consensual crime.

But Jonathan Whitworth won’t be smoking that pot they found in his possession. So I guess this mission was a success.

Uh-Oh: Firefox’s Unique Session Cookie Behavior

By now, Opera’s invention of restoring tabs automatically is available in most browsers, but unlike every other browser, Firefox’s restored tabs retain session cookies for the domains of the saved tabs Firefox restores all session cookies as if the browser were never closed. This is handy in some ways, but dangerous in others:

It’s fooling web developers by breaking a very old and widely-known convention. Since Netscape’s original spec (around 1994) a cookie with an empty/missing expires was to be discarded “when the user’s session ends” (later clarified as “when the user agent exits” in RFC2109), and thousands of prominent web pages describe “session cookies” this way.

A common session design pattern uses a persistent cookie to establish low-level identity info and a session cookie for full authentication. Developers may not know that their full auth period may be lasting days or weeks, including trips to insecure wifi spots, browsing by multiple users, etc.

It’s fooling users. No one thinks of a single browsing “session” as encompassing several days of browser usage just because the same tabs were open, and users frequently read that they need to simply exit their browser to ensure their session is ended.

Recommendations

  • Be aware that Firefox session cookies can linger for days, despite the user having closed their browser.
  • Manage session timeouts on the server-side and/or via HMAC-signed timestamp values in the cookie contents (don’t let the client decide how long a session should last).
  • If you can, include secure in the cookie header. Firefox does not restore HTTPS session cookies. Realize that in later FF versions, “secure” cookies also are restored.
  • If you give out session cookies with unique names, have your application clean these up when they’re no longer needed. If you don’t, your Firefox users could suffer from…

Cookie Accumulation Torment

This annoying situation occurs when Firefox gains so many local cookies that the web server begins to deny all your requests. Deleting some or all these cookies is the only way to fix the issue because—yay—the problem session cookies persist across browser, and even OS, restarts.

Big Shibboleth Implications

If your Shibboleth-authenticating app maintains its own session, make sure that the “sign out” function searches for and deletes the local Shibboleth cookies (or that the SP sets only “secure” cookies). Otherwise this could happen:

  1. Jane “signs out”, closes Firefox, and lends her computer to Sally.
  2. Sally opens Firefox and clicks “sign in”.
  3. Sally is instantly authenticated into Jane’s account!

Jane’s application session was over, but Firefox allowed her Shibboleth session to live on.

Also, since Shibboleth gives out uniquely-named session cookies (prepended with _shibstate), failing to clean these up will lead Firefox users to the aforementioned torment. If the user has an app open all day every day, count on her gaining at least one cookie per day.