Keep Cookies = Until I Close Firefox, Exceptions (Allow) Not Working
I'm attempting to configure Firefox so it will clear all my cookies, with a few exceptions, on program exit. I've configured it as:
- Always use private browsing mode is NOT checked
- Clear history when Firefox closes is NOT checked
- Accept cookies and site data is checked
- Keep until = I close Firefox
- Under exceptions, I add the specific URL exceptions for sites whose cookies I would like to survive exiting Firefox
- I do not have any cookie addons
However, it does not work. All the sites, including those listed in "Exceptions," log me out after I quit & re-start Firefox. I've done some searching, and have found many other threads from people with this issue, going back years. The suggested answers always seem to suggest the above configuration. Yet it just seems to behave as if the exceptions aren't there.
I should note that I'm trying to move over from Chrome, which has analog settings & is working as expected.
Why does it keep clearing the cookies for sites that are explicitly listed under "Exceptions"?
Opaite Mbohovái (20)
Edit: some links to other related threads, for reference:
https://support.mozilla.org/en-US/questions/958732 https://support.mozilla.org/en-US/questions/981919 https://support.mozilla.org/en-US/questions/1172808
So yours looks roughly like mine:
<center></center>Do you have any cleanup, privacy, or utility software on your system that might remove cookies between Firefox sessions?
Also, do your exceptions follow the pattern of protocol://hostname as in this example:
Thanks for the quick & comprehensive reply.
So your answer *mostly* solved it - whereas in Chrome you can simply enter domains (i.e. google.com), here it actually differentiates between protocols. If you type "google.com" it auto-enters "http://google.com," which doesn't work - you need to explicitly type "https://google.com." Kinda unintuitive, but by explicitly changing my rules to https, many of them started to work.
A second issue is that it seems to actually differentiate between port, too. I have a domain on which I host a number of different services (i.e. web UIs for several different NASs, a home-control server, a home security server, etc). In Chrome, I entered an exception for "domain.com." In Firefox, it only works if I explicitly enumerate each and every port I use on that domain: https://domain.com:123, https://domain.com:124, https://domain.com:125, etc. Is there a way to just have it work with wildcards, so I don't have to enumerate every possible port when I know that I obviously want it to remember all cookies on that domain?
Those two changes fixed *most* of the issues, but there are still a few that it doesn't seem to remember no matter what I entered. Maybe you can replicate: try adding an exception for justin-klein.com, and logging in (I created a dummy user=tester, pass=tester123). I've entered exceptions for http://justin-klein.com, https://justin-klein.com, http://www.justin-klein.com, https://www.justin-klein.com. It still always logs me out after closing & restarting Firefox...
Thanks again :)
Hi, do you actually have cookies set for remembering login on your site or have them on your site so when you go up they are dropped on you. If not no remember as nothing to remember from.
No, wild cards do not work. Was a thought 10yrs ago and was a thought in back in Netscape but nothing came of it.
You can make suggestions for new or improved by going to 3bar Menu --> Help --Submit Feed Back and it will be reviewed by a team.
Please let us know if this solved your issue or if need further assistance.
>>Hi, do you actually have cookies set for remembering login on your site or have them on your site so when you go up they are dropped on you. If not no remember as nothing to remember from.
...Are you asking if justin-klein.com uses login cookies? If so...obviously, yes :P I wouldn't mention it as an issue if it didn't work properly in Chrome (also, it works properly when Firefox is set to retain all cookies). And as mentioned, this is just one example of several sites - I merely posted it specifically because I could easily create a sample login to test.
If that's not what you're asking...apologies, I guess I didn't understand the question :/
metal450 said
In Firefox, it only works if I explicitly enumerate each and every port I use on that domain: https://domain.com:123, https://domain.com:124, https://domain.com:125, etc. Is there a way to just have it work with wildcards, so I don't have to enumerate every possible port when I know that I obviously want it to remember all cookies on that domain?
I don't know of a workaround for this, but I haven't searched recently.
Those two changes fixed *most* of the issues, but there are still a few that it doesn't seem to remember no matter what I entered. Maybe you can replicate: try adding an exception for justin-klein.com, and logging in (I created a dummy user=tester, pass=tester123). I've entered exceptions for http://justin-klein.com, https://justin-klein.com, http://www.justin-klein.com, https://www.justin-klein.com. It still always logs me out after closing & restarting Firefox...
I don't think WordPress is setting persistent cookies on that server. Even with an exception, as shown in the attachment (Storage Inspector -- Shift+F9), I only get session cookies. This seems to be by design if you view the request/response headers in the Network Console (Ctrl+Shift+e then reload).
Request #1: http://www.justin-klein.com/
Response: #1
Set-Cookie: bb2_screener_=1527954272+23.124.107.40; path=/
Request #2: POST to https://www.justin-klein.com/wordpress/wp-login.php (username=tester)
Response #2:
set-cookie: bb2_screener_=1527954497+23.124.107.40; path=/
set-cookie: wordpress_test_cookie=WP+Cookie+check; path=/; domain=www.justin-klein.com; secure
set-cookie: wordpress_sec_d461c12741b791f5b961c41e676cd741=tester%7C1528127297%7CdrohFeQm80M5c19UNOeiNKhyXINpw3vRnxTDmjYWYsF%7Ca932e2ea4509a25cdb0e5467f983a9e9596e681f075abb8e199b2ecb6c180dce; path=/wp-content/plugins; domain=www.justin-klein.com; secure; httponly
set-cookie: wordpress_sec_d461c12741b791f5b961c41e676cd741=tester%7C1528127297%7CdrohFeQm80M5c19UNOeiNKhyXINpw3vRnxTDmjYWYsF%7Ca932e2ea4509a25cdb0e5467f983a9e9596e681f075abb8e199b2ecb6c180dce; path=/; domain=www.justin-klein.com; secure; httponly
set-cookie: wordpress_logged_in_d461c12741b791f5b961c41e676cd741=tester%7C1528127297%7CdrohFeQm80M5c19UNOeiNKhyXINpw3vRnxTDmjYWYsF%7C157e606a6b507ee3698fbdff33ae1516c25830dc6e64de4deb320a8d17c77485; path=/; domain=www.justin-klein.com; httponly expires: Wed, 11 Jan 1984 05:00:00 GMT
I think the last one is the critical one, and it has an expiration date far in the past and is treated as a session cookie.
For what it's worth, Chrome's developer tools show me an expiration of "1969-12-31T23:59:59.000Z" for the "wordpress_logged_in_d461c12741b791f5b961c41e676cd741" cookie when I log in using Chrome.
Hmm, interesting observation. However, do you notice that if you configure Chrome the same way - OR if you configure Firefox to keep cookies "Until they expire" - it actually does retain the login through browser exits? Also, this was just one particular example, another is my QNap NAS, where the login page explicitly has a "Remember Me" tickbox that doesn't work, only in Firefox, and only when configured as above. Like this WP example, it actually does work if I keep "until they expire" (and in Chrome in all cases).
Your examination of expiration dates *does* seem to make sense, but just in terms of user-facing behavior, I wonder why it behaves "as a user might expect" in every configuration except this one? :/
It might work if you leave tabs open when you close Firefox and let sessionstore store the cookies as part of session data in sessionstore.jsonlz4.
Moambuepyre
Nope, doesn't work. And in any case, that still wouldn't really replicate the behavior of "Keep until expired" (for the sites with exceptions)...which should be the expected behavior...
The login cookie is not retained for me in Chrome. The only cookies from the site that survive restarting Chrome look like Google Analytics cookies and one named "wp-settings-time-5494" (according to Settings > See all cookies and site data > klein search). I have no idea why your Chrome retains an expired login cookie. Are you sure you aren't being re-logged in automatically rather than being in due to the cookie?
I actually hadn't explicitly looked for the cookie, I was merely closing the tab, quitting the browser, re-launching the browser, revisiting the site, & seeing that I was still logged in. However, when I view all cookies as you mention - I *do* still see it. Odd that it says "Expires: When the browsing session ends." I've confirmed that I quit the browser & re-launch, even without visiting the site, it's still there.
However, even if we set Chrome aside for now, Firefox too keeps me logged in when I set it to "Keep Until: they expire." Is it not behaving that way for you? Even with "Keep until: they expire," it forgets the login when you quit & re-launch?
Hi metal450, I just noticed that on the wp-login page there is a "Remember me" checkbox which is unchecked by default:
https://www.justin-klein.com/wordpress/wp-login.php
If I log in on this page instead of the home page, then I can check that box, and then I get a persistent cookie with a future expiration date.
Yup, I know. For the sake of this example I'm comparing the login form on the main page (in all browser cases). Because again, this is just *ONE* example that behaves differently with the Firefox+Exceptions setup - there are others where I can't publicly post a login, i.e. the QNap NAS. So...finding an alternative login mechanism that works the same across the browsers is beyond the scope of what I'm trying to compare here. (Indeed many sites do remember the login; this issue is that *some* do not, which is what I'm providing an example of, when configured as Firefox+Until exit+Exceptions. Yet those same ones that don't in Firefox+Until exit+Exceptions *do* in Firefox+Until expires, and in Chrome).
So can you replicate as I described above with Keep Until: they expire?
metal450 said
So can you replicate as I described above with Keep Until: they expire?
I don't plan to test that in Firefox to avoid disrupting my existing settings.
I do have Chrome set up that way (since I'm not aware of a way to change it) and Chrome doesn't keep the cookie from the main page.
>>I do have Chrome set up that way (since I'm not aware of a way to change it)
Chrome's analog settings: Settings->Content Settings->Cookies->Keep local data only until you quit your browser, and then lower on that same page is where to add sites to "Allow."
In the example case of justin-klein.com's main page login (and the NAS, and the other instances), the login is remembered properly in both browsers when configured to retain cookies after you quit, but not only in Firefox when configured to clear cookies on quit w/ an exception.
>>and Chrome doesn't keep the cookie from the main page.
For what it's worth, I just replicated it in a fresh Chrome instance installed in a virtual machine - it's definitely keeping the login. Proof: http://take.ms/mHn6vx
I similarly reconfirmed Firefox in the VM, which is behaving as above: keeps the login when configured to keep cookies until expired, forgets the login when configured to clear on quit + Exceptions...
I can't replicate your results. In every case, I only get a session cookie when logging in from the home page. Naturally, I am logged out on the next startup.
Attached are from a clean profile. (It is not set to restore the previous session at startup.)
Ok...it looks like what you said about "It is not set to restore the previous session at startup" explains the difference in observed behavior :)
These steps yield these results: 1) Install Firefox from scratch. All default settings, EXCEPT: General->When Firefox starts=Show your windows and tabs from last time 2) Open a tab, visit justin-klein.com, login 3) Close the tab & quit Firefox 4) Restart firefox & visit Justin-Klein.com. Still logged in.
Now, clear all the cookies, change to "Keep until=I close Firefox" & add an exception for Justin-Klein.com. If you repeat the above, it no longer remembers the login (despite the exception).
Okay, I see what you mean. This is what I think is going on:
(A) The WP login cookie is a session cookie, not a persistent cookie. It is expected to expire when you close Firefox. The only time the site sets a persistent cookie is when you go through wp-login and check the box to remember you.
(B) Firefox's session restore feature handles session cookies differently with these two settings:
(i) Keep until: they expire -- Firefox does not expire the session cookies. Therefore, when the previous session is automatically restored, it is as though the previous session never ended.
(ii) Keep until: I close Firefox -- during a normal shutdown, Firefox removes the session cookies from the session history file (if Firefox crashes, it still has access to the session cookies). This change was made in Firefox 47 to better align the session restore feature to the user's expressed preference to minimize cookie carry-over.
(C) The exception -- "Allow" permission for the site -- lets the site set persistent cookies if it wants, even though the general policy is to limit sites to session cookies. Since the site doesn't set persistent cookies (when you log in though the home page), this exception never comes into play.
I guess that makes sense...somewhat. But it also seems to mean there's no way to make Firefox restore your session, unless you're willing to let it retain *all* cookies until expiration (which is, in my opinion, an extreme privacy no-no).
Unfortunately this is a pretty noticeable blow to convenience in switching from Chrome, where this works just fine: I don't have to keep all cookies until they expire, just to be able to resume where I left off across browser restarts (for the sites I explicitly say I want to resume). To me that makes way more sense: I've explicitly stated those sites are OK, so why would they not behave the same as if they were part of the "all-sites-are-ok" configuration.