EDIT: Yeah… bad idea. Got it.
I’ve been thinking about this for while. Sometimes there are situations where I have to log into one of my accounts temporarily to look at or take something and logging in is usually a pain in the ass or straight up uncomfortable.
So my idea is that this feature will allow to temporarily share/relay the cookies stored in the mobile browser that are used to remember logged in accounts (login credentials?) over a secure wireless or wired USB connection to use with the desktop browser (in a temporary container/session to not conflict with other users’ data) in order to do whatever I do and then wipe out all data upon mobile device removal.
So… what do you think?
I think that this would be a security nightmare and would require a massive redesign for session cookies.
If anything they should be trying to lock cookies and sites assorted data to the specific device used to log in.
At the moment it is very easy for a criminal (once they have gained access) to nab your browser’s entire profile and load it up on their computer giving them access to everything logged in on that profile.
What you are suggesting is something that would make the criminals jobs easier .
Wouldn’t a password manager solve your problem?
No, logins should be harder in order to be secure. Hence the addition of 2FA (which is also incompatible with your proposal).
As developers, we strive to make things more secure, not less, and unfortunately, good security always comes with the trade-off of less convenience for the user (larger entropy passwords, session expiration, captchas, etc).
Now, of course, it depends on how sensible the data in that account is. I wouldn’t want this for my email account, for example, or online password manager, which are the entry gates to all my other accounts. The Kagi search engine offers the possibility to login on another device via a session URL which you can copy-paste. And this is fine, if the site / app clearly states the dangers, implemented it securely, tracks and lists the sessions and allows you to invalidate a session for all devices, and you are fine with potentially disclosing the data for that account (forgetting to log out, or disclose the session URL somewhere) - which is not much, as they don’t log the searches, only the daily counts. And their use-case makes sense, people aren’t used to authenticating in order to search something on the internet.
So, this should be an optional feature offering from the website / app, not built-in in the browser which would make it trivial to be abused by anyone.
Does Firefox Sync do this?