Firefox session cookies

Asked 22/4, 2009 at 15:17 Answered 30/9, 2020 at 15:21

114

Generally speaking, when given a cookie that has no expiration period, modern browsers will consider this cookie to be a 'session cookie', they will remove the cookie at the end of the browsing session (generally when the browser instance closes).

IE, Opera, Safari and Chrome all support this behavior.

However firefox (3.0.9 latest proper release) appears not to follow this rule, from what I can tell it doesn't expire the cookies when the browser is closed, or when the user logs off or restarts the OS..

So, why does firefox refer to these as session cookies, when they last aparently indefinitely?

Does anyone know how Firefox handles session cookie expiration?

Locale answered 22/4, 2009 at 15:17 Comment(2)

I don't think this has actually been answered. I am seeing this too. – Dragonroot 4/7, 2009 at 21:25

Thanks BRH for your research, I actually did see your reply and was meaning to check your research before marking your answer instead, completely forgot! apologies – Locale 2/9, 2009 at 18:31

125

This is apparently by design. Check out this Bugzilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=443354

Firefox has a feature where you close Firefox and it offers to save all your tabs, and then you restore the browser and those tabs come back. That's called session restore. What I didn't realize is that it'll also restore all the session cookies for those pages too! It treats it like you had never closed the browser.

This makes sense in the sense that if your browser crashed you get right back to where you were, but is a little disconcerting for web devs used to session cookies getting cleared. I've got some old session cookies from months ago that were set by sites I always have open in tabs.

To test this out, close all the tabs in your browser, then close the browser and restart it. I think the session cookies for your site should clear in that case. Otherwise you'd have to turn off session restore.

Dragonroot answered 4/7, 2009 at 21:40 Comment(9)

I find this behavior quite questionable, thanks for your research. If "Save and Quit" is selected or "Restore tabs and windows", upon closing the browser, all session cookies remain intact. The only way for the "user" to get rid of them is to first close the tab(s) and then close the browser. – Mages 17/8, 2009 at 14:8

Did you ever find a workaround? I really don't want Firefox to dig up old sessions as I need the session ID in my app to be unique. – Amenra 9/3, 2010 at 3:52

Sorry, I don't know of a workaround. From your app's perspective, their browser never closed. – Dragonroot 12/3, 2010 at 7:25

I've noted some of the implications of this (IMO ill-advised) decision: mrclay.org/index.php/2010/05/02/… – Leastways 2/5, 2010 at 7:8

I got bitten by this behavior today, too. I thought there were something wrong with my app. Then I tested Chrome, and other browsers, then figured out firefox is the culprit. – Doublebank 6/5, 2010 at 0:52

Chrome does the same, and it's by design that it has introduced, knowingly a horrific security bug that no one wants to fix in the last 4 years. Chrome in chromium stated they will not fix it. – Frap 22/10, 2012 at 20:44

w3.org/Protocols/rfc2109/rfc2109: Max-AgeThe default behavior is to discard the cookie when the user agent exits. – Frap 22/10, 2012 at 21:13

Closing tabs and then closing browser doesn't seem to get rid of them either. – Mcclish 22/1, 2020 at 20:31

@Frap relying on the client to delete the cookies is a "horrific security bug". You have to make sure session data is discarded on the serverside! – Pym 1/3, 2023 at 8:45

Two ideas :

You have a problem with your session manager (the one included in FF3 or one included in an extension, like tabmixplus)
Use Firebug + FireCookie (https://addons.mozilla.org/en-US/firefox/addon/6683) to debug !

Paucker answered 29/4, 2009 at 16:35 Comment(0)

This should work. I used to be one of the cookie module testers, and I don't think there is any design reason this would behave differently (although if you crash, the session cookies might be designed to live on when you restart...)

Are you viewing the cookies in the "Preferences" menu > "Privacy" Tab > "Show Cookies..." button?

Also, have you tried a new profile?

Fustanella answered 29/4, 2009 at 16:30 Comment(2)

Very strange, I'm relatively happy if this is just a bug with the two systems I tested it on.. I've viewed the cookies and they survive anything.. and they are absolutely being classified as session cookies by firefox.. the only options I ever change in firefox is to turn javascript off and on.. my installed plugins are firebug and the web developer toolbar.. ah well- cheers anyway. – Locale 29/4, 2009 at 21:12

There are also a variety of cookie module preferences, but I don't recall any of them having this kind of functionality. FF3 did switch from a text file to a cookie database, maybe your database has mis-behaved. – Fustanella 1/5, 2009 at 16:36

I disagree with meandmycode above.

The HTTP spec https://www.ietf.org/rfc/rfc6265.txt talks about what a client should do with Set-Cookie headers with Expires:

If the server wishes the user agent to persist the cookie over multiple "sessions" (e.g., user agent restarts), the server can specify an expiration date in the Expires attribute. Note that the user agent might delete the cookie before the expiration date if the user agent's cookie store exceeds its quota or if the user manually deletes the server's cookie.

The logical extension of this is that the ONLY way the server has to require that the browser does not maintain a Cookie on exit is to set no Expires value (i.e a session cookie). If a browser does not honor that semantic then its not honoring the server's response.

Essentially the user agent is deciding to ignore the server request and act as if an Expires value had been set.

Tiresome answered 21/7, 2015 at 11:20 Comment(0)

This is a bit of a concern in shared user environments. If I set a authentication cookie that is set to expire at the end of the session. This will persist in Firefox after the browser has been closed and another user starts up Firefox. Cookies are set with an expiry date for a reason!

Martijn answered 30/3, 2012 at 3:1 Comment(1)

Well, to be fair regarding "Cookies are set with an expiry date for a reason"- in this scenario, you aren't setting an expiry date, so its up to the browser to decide how long that cookie lasts. – Locale 30/3, 2012 at 11:45

I'm flummoxed that Mozilla have left this as it is for several years.

OK.. so I quit FF and switch off the PC. Next day FF starts and opens the last set of pages (nice handy feature) BUT it restores the sessions and I'm logged back in to sites which have no "save my settings" feature. I know because they are sites I built. Whatever I do with php ini settings the sessions are restored.

They absolutely should not be restored. Pages yes, but sessions with cookie ini set to '0' no.

I don't understand why this is not flagged as a security hole. Sure I can do some additional checking on the server side, to see if a login should be allowed, based on time from last log in, but it shouldn't be needed.

A session should NOT persist. FF is manipulating cookie expiry settings.

Lampoon answered 12/1, 2015 at 11:28 Comment(1)

Relying on the client to delete the cookies is a "security hole". You always have to make sure session data is discarded on the server side! This is like form validation - never trust the client ;-) – Pym 1/3, 2023 at 8:47

In my case, it was because of pinned tabs that automatically restored the session even if this option was disabled in Firefox settings. So if you unpin the tabs, the session won't be restored.

Petulance answered 30/9, 2020 at 15:21 Comment(1)

Please include an example or a pictorial presentation to elaborate your solution ! – Expatriate 1/10, 2020 at 9:11

-1

Well it is disconcerting to me. My system is set up so that users can hit EXIT whereby I destroy all session cookies. But if a user closes the browser without actually choosing to Exit, I'd like the session cookies cleared.

I actually tested it with Google Chrome, IE 9, and works fine. But Firefox is reluctant to kill this "session" (as reported by Firebug) cookies.

OK. This is what I did. I chose Exit from FireFox main menu and from then on, did it fine as expected (Dont know why).

Nittygritty answered 31/3, 2013 at 15:25 Comment(0)

Recommended topics

Hot tags