What's the difference between ALLOW and ALLOW for a SESSION?
Under EXCEPTIONS I had to ALLOW certain websites. Then I decided to experiment and see what ALLOWED for SESSION really does.
Neither the entries for websites I allowed for a session were deleted from the list of exceptions, nor the cookies saved by these websites were deleted even when I closed the browser.
I do not see the difference in terms of what happens between selecting Allow vs. Allow for session.
Could someone who knows please explain or point me to the place that explains the difference and how this works?
Thanks.
Solución elegida
Hi Sue, until recent years, people giving us cookies was always a good thing. But I digress.
Yes, when I test with lifetimePolicy = 2, the cookies do not come back.
When you say the preference change doesn't stick, how soon does it it change back?
Another way to make the change would be to temporarily change your Tracking Protection setting from blocking All cookies to a lesser level of blocking. Then check the box to clear cookies when Firefox closes. Then change your Tracking Protection setting back again. The box will be grayed out but still should show as checked.
That sticks on mine. (I don't use any add-ons that affect cookies or cookie settings, in case that is a factor.)
Leer esta respuesta en su contexto 👍 0Todas las respuestas (20)
My questions (now that the message broken into pieces went out):
- Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? - Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? - Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
- what's blocked out of what's shown in the SHIELD (see above and screen captures) - does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
I used the AAII website for testing. Checked that it does show Session for Expiration.
Two bugs need to be reported: session cookies never removed and problem with posting. I do not know who does that. Thanks.
My questions (now that the message broken into pieces went out):
Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
What's blocked out of what's shown in the SHIELD (see above and screen captures) Does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
I used the AAII website for testing. Checked that it does show Session for Expiration.
Two bugs need to be reported: session cookies never removed and problem with posting. I do not know who does that. Thanks.
Sorry, this site has a link spam filter. Any reply with URLs is diverted to a moderation queue. Those posts will appear eventually. There is supposed to be a message about that after you post your reply, but it's not very noticeable, judging from how often this question comes up.
My questions (now that the message broken into pieces went out):
Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
What's blocked out of what's shown in the SHIELD (see above and screen captures) Does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
Two bugs need to be reported: session cookies never removed and problem with posting. I do not know who does that. Thanks.
Sorry, but this is AWFUL...
How would someone know? There is ZERO message displayed anywhere.
My questions (now that the message broken into pieces went out):
Social Media Trackers (listed as blocked) shows a pointer to facebook - IS THIS BLOCKED??? Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
What's blocked out of what's shown in the SHIELD (see above and screen captures) Does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
Session cookies never removed. Thanks.
I am confirming that under #4 I do see:
Custom Tracking Protection with All cookies selected for cookie blocking [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
However, when I quit and then restart Firefox, the ones that have Session only permission are NOT removed.
Here is what I did, using the AAII.com website (Allow for session) for testing: - checked using your instructions the Expiration for this website w. Storage Inspector. It does show SESSION for all cookies for this website. - refreshed the Preferences tab - captured all cookies displayed by Manage Data (attached) - logged off the AAII website, closed the tab, refreshed Preferences, checked cookies in Manage Data - no change - quit Firefox - restarted Firefox
On the Enhanced Tracking Protection panel, Blocked means Blocked.
Do you restore your previous session automatically? With your settings, I see session cookies returning for a closed tab when I do a manual session restore. I have a series of three screenshots attached.
In my normal configuration -- only cross-site tracking and social cookies are blocked, no explicit exception needed to set session cookies -- closing the tab before exiting works as expected. That's the second series of three screenshots.
So there seems to be some difference when the Allow for Session permission is set for a site, but this is the first I've heard of it. You could file a bug report:
Thanks.
I am trying to "translate" your last post. Sorry, but not being a techie, this is quite difficult for me.
Yes, I configured the browser to reopen tabs when it restarts.
Are you saying that:
1. By doing what I did, the session cookies are NOT removed and that this is a bug that I should report? 2. By using the options that you use, you are accomplishing the same without having to have exceptions?
I do not like to have to keep restarting Firefox and closing all tabs, because I have to keep logging into websites, that I prefer to have open... I also would like to take advantage of all the privacy features offered by the product to reduce to a minimum tracking.
Who sets Social Media Trackers?
Thanks.
Hi Sue, the results are odd. This is the current behavior:
Preferences/General: Restore previous session + Tracking Protection/Custom: Block All Cookies (network.cookie.cookieBehavior = 2) + network.cookie.lifetimePolicy = 0 + site has "Allow for Session" permission
=> closed tab session cookies ARE restored
Could you try making one change (via about:config):
Preferences/General: Restore previous session + Tracking Protection/Custom: Block All Cookies (network.cookie.cookieBehavior = 2) + network.cookie.lifetimePolicy = 2 ("Delete cookies and site data when Firefox is closed") + site has "Allow for Session" permission
=> closed tab session cookies ARE NOT restored
Oops, missed two questions:
> 2. By using the options that you use, you are accomplishing the same without having to have exceptions?
I use this:
(1A) Default + Session cookies onlyabout:config settings:
- Standard or Strict Tracking Protection, or Custom Tracking Protection with Cross-site and social media trackers selected for cookie blocking
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
- network.cookie.cookieBehavior => 4
- network.cookie.lifetimePolicy => 2
That setting converts all cookies to session cookies. The only exceptions I need to create are for sites I want to stay logged in to or sites that use multi-factor authentication (such as texting a code to my phone) and I'm not willing to do that every time.
I realize this allows a bit more tracking than blocking all cookies, but it is my preferred compromise.
> Who sets Social Media Trackers?
Mozilla uses a list of tracking servers developed in conjunction with Disconnect (https://disconnect.me/about).
Thanks.
I am trying to do what you asked me to do, assuming that I understand the instructions:
- I have in Preferences/General: Restore previous session checked - Tracking Protection/Custom: set for Block All Cookies in all windows - I changed network.cookie.lifetimePolicy from 0 TO 2 - the website for testing has "Allow for Session" permission
How do I SAVE the change for network.cookie.lifetimePolicy ??? It doesn't seem to "stick".
Before I do more testing, please confirm that this is what you implied and let me know how to save the configuration change.
I would have never assumed that at age 74 this is what I will be doing. It helps that my 10 yr old grandson keeps teaching me. Thanks.
Solución elegida
Hi Sue, until recent years, people giving us cookies was always a good thing. But I digress.
Yes, when I test with lifetimePolicy = 2, the cookies do not come back.
When you say the preference change doesn't stick, how soon does it it change back?
Another way to make the change would be to temporarily change your Tracking Protection setting from blocking All cookies to a lesser level of blocking. Then check the box to clear cookies when Firefox closes. Then change your Tracking Protection setting back again. The box will be grayed out but still should show as checked.
That sticks on mine. (I don't use any add-ons that affect cookies or cookie settings, in case that is a factor.)
jscher2000, thanks for your time and patience.
I picked the easy way and, yes, you are right. After changing permissions and checking Delete cookies, then changing back to ALL blocked, closing the tab for the test website, quitting Firefox, restarting Firefox, the cookies for websites defined in Exceptions to Allow for session WERE REMOVED.
However, this raises some other questions.
1. Does this mean that there is a bug that needs to be reported? 2. Is this a permanent "workaround" for the problem? 3. What exactly "Delete cookies and Site Data when Firefox is closed" is supposed to delete? What is deleted as far as "site data" goes? Asking this question because after this test I still see 5 cookies, for websites setup to ALLOW them. Does this mean that cookies for websites ALLOWED are not deleted? Is this how the application works? I would be glad if the answer was YES, because I do not want to have all cookies removed when I quit Firefox. I only want cookies removed for websites setup to Allow them for the session. If this is how it works, then I finally got an answer to my first question, about the difference between Allow and Allow for session :):).
If you don't mind, after this is closed, I have remaining questions that came up during this testing, one pointing to another potential bug.
Thanks again.
> 1. Does this mean that there is a bug that needs to be reported?
Hi Sue, in my opinion, you should get the same result from both of these:
- session-only cookies set due to an Allow for Session permission with All Cookies Blocked
- session-only cookies set due to a general policy of Session only cookies
In both cases, they are session cookies, and session cookies should expire at the end of the session, and restoring the previous session should behave the same for a closed tab.
But maybe there is a reason it works the way it does that I haven't thought of.
> 2. Is this a permanent "workaround" for the problem?
I think you'll have to keep an eye on it from time-to-time to see whether your settings change.
> 3. What exactly "Delete cookies and Site Data when Firefox is closed" is supposed to delete? What is deleted as far as "site data" goes?
The Site Data is "local storage" or "DOM storage" data that sites can request Firefox to store. That can contain preferences used by scripts in the page, or... whatever. This was invented because cookies are limited in size and it's wasteful to use cookies for data the server doesn't need back on every request. In the "Manage Data" dialog, the data size is a separate column from the number of cookies.
> Asking this question because after this test I still see 5 cookies, for websites setup to ALLOW them. Does this mean that cookies for websites ALLOWED are not deleted? Is this how the application works?
The "Allow" permission allows cookies for as long as the server requests. Those are not subject to being shortened to session-only cookies.
Thanks for the quick reply.
Since you have also seen the initial problem (session cookies not deleted without the workaround) and since nobody else would know about the workaround, should this be reported as a bug or it doesn't make a difference?
I do not know what "session-only cookies set due to a general policy of Session only cookies " implies and probably nobody else knows, other experts like yourself. But if the workaround does the job reliably, for me that's good enough.
You mentioned that "The "Allow" permission allows cookies for as long as the server requests." What does this mean, when does the server stop "requesting" and maybe change the permission to Allow?
Regarding Social Media Trackers: who is the guilty party that does this for cetain websites that have nothing to do with me having a social media account and are they paid for doing it? I do not have a Facebook account, never had it and will not have it, but I have seen cookies from Facebook on my computer. I really resent that...
I learned a lot from this exchange, I appreciate it.
Based on it, I plan to set exceptions to allow for session cookies for everything that requires it. I will use ALLOW for websites that I want to keep open, those that require two factor authentication and those that use cookies to store information I need (e.g. Tripcheck). I will block cookies for websites that somehow store cookies despite the fact that I block all and do not belong to those that I allowed. If this will not work, I will go back to what you mentioned that you use.
I will mention one more thing related to the topic that I ran into that might be a bug.
I am using a website called athenahealth. It forced me to allow for session a bunch of cookies, including one that starts with 8752-2.
I am attaching 2 screen captures: - one showing info in the Shield for cookies, where this cookie (starting w. 8752-2) is shown as blocked - the list of exceptions that shows this cookie (starting w. 8752-2) as allowed for session.
How is the above possible? It defeats my logic.
THANKS
That's a lot of question.
Sue said
Since you have also seen the initial problem (session cookies not deleted without the workaround) and since nobody else would know about the workaround, should this be reported as a bug or it doesn't make a difference?
I don't have a sense of how many people use the configuration of block all cookies + allow for session exceptions + restore previous session automatically. So if you file a bug, I don't know whether it would get prioritized or languish (there are a lifetime's worth of bugs on file...).
I do not know what "session-only cookies set due to a general policy of Session only cookies " implies and probably nobody else knows, other experts like yourself. But if the workaround does the job reliably, for me that's good enough.
Checking the box for "Delete cookies and site data when Firefox is closed" shortens the lifetime of all cookies to Allow for Session unless you create an Allow exception.
You mentioned that "The "Allow" permission allows cookies for as long as the server requests." What does this mean, when does the server stop "requesting" and maybe change the permission to Allow?
When a server asks Firefox to set (save) a cookie, it either provides an expiration date or indicates it is for the current session only. Most sites set the expiration day way out in the future so they have the best chance of recognizing your browser on a return visit.
I am using a website called athenahealth. It forced me to allow for session a bunch of cookies, including one that starts with 8752-2. I am attaching 2 screen captures: - one showing info in the Shield for cookies, where this cookie (starting w. 8752-2) is shown as blocked - the list of exceptions that shows this cookie (starting w. 8752-2) as allowed for session. How is the above possible? It defeats my logic.
Those are not individual cookies, they are server names. I don't know why they have that odd server name, perhaps it represents a certain geographic region? Sometimes you can grant permission just on the base domain name --
http://athenahealth.com https://athenahealth.com
-- and have that work for all the subdomains (subdomains are the parts to the left, such as www. or portal.) as well. Worth a try to cut down on the number of exceptions you need to create.
Thanks again. You figured out how to solve the problem I have encountered.
I have a few other posts and each has a question that I could not get an answer to.
I might post the remaining questions in a new thread and then if I get answers I will update and close the original ones.
Recently, I watched a very interesting and scary documentary, "The Social Dilemma". It was one of the reasons for switching to Firefox. Overall I am very pleased with it and now I am very happy that it does what I wanted to accomplish with it. Maybe at some point we will have regulation to enable us, users, to own our information and have it captured, shared only with our permission. Until such time, Firefox provides more than any other browser that I used for protecting privacy and getting rid of many trackers and data hunters. The only time that I go now to Safari is when I want to print. Firefox doesn't show me whatever I want to print and it forces me to waste a lot paper and toner.
If we don't "connect" with my outstanding questions, I wish you safe and pleasant holidays.
See also:
- Bug 1681493 - [meta] Deprecate and remove network.cookie.lifetimePolicy
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
cor-el said
See also:(please do not comment in bug reports
- Bug 1681493 - [meta] Deprecate and remove network.cookie.lifetimePolicy
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
Oh no! (I felt the need to comment.)
Does this mean that what was achieved with so much back and forth will go away?
I do not know what "sanitizing" means, but I think that having an option (whatever called) to have only temporary cookies for some websites (like now for a "session") and permanent cookies (now with ALLOW) is an important benefit to using Firefox.
I do not understand the background and the impact of the proposed change, but would you mind translating the end result?