Firefox doesn't delete cookies on exit. When will it do?
Firefox fails to delete cookies if set to do so on quitting and if the settings 'General->Show my windows and tabs from last time' have been set.
The problem is described e.g. as bug 794253, 443354 and 401187:
https://bugzilla.mozilla.org/show_bug.cgi?id=794253 https://bugzilla.mozilla.org/show_bug.cgi?id=443354 https://bugzilla.mozilla.org/show_bug.cgi?id=401187 .
As a result user tracking through cookies can continue even if Firefox had been closed before. Moreover another user could resume an earlier session and access pages an earlier user had not logged off from.
A work around is also described in https://bugzilla.mozilla.org/show_bug.cgi?id=443354 :
edit direct link to comment -J99 bug 443354 c48
In about:config set browser.sessionstore.privacy_level & browser.sessionstore.privacy_level_deferred to 1 or 2 as described with the bug report.
However, as a general solution this problem needs to be fixed in Firefox since most people will neither be aware of the problem nor of the work around.
Users can vote for this bug in Bugzilla to promote its solution.
An gyara
All Replies (17)
Hi fkbreitl,
Good post. This is something that is not well documented. Maybe if bug 401187 is not assigned and actioned soon we should consider at least amending Firefox KB articles to include advice on this.
Anyone using session restore from Show my windows and tabs from last time' should bare in mind the security implications, as mentioned in the post above. There are a couple of things you could also try
- explicitly LOG OUT of security, financial, or confidential sites as soon as you finish your task.
- PRIVATE BROWSING, this is designed to protect you, and does not save cookies or other information
Voting
Anyone following the advice above to vote in the bug please note
- the open bug on which you may beneficially vote is
Bug 401187 - auth cookies remain after restart firefox directly (reword "Keep [cookies] until: I close Firefox")
( You will need to register with an email address before voting)
You are only voting for a change in wording - Please do not add comments to the bugs themselves, they have already had extensive comments from all interested parties over several years !
Workaround
This is probably more suited to advanced users or corporate environments but does stop the cookies being kept.
In about:config set browser.sessionstore.privacy_level & browser.sessionstore.privacy_level_deferred to 1 or 2 as described with the bug report.
You will need to go into about:config accepting a warning if necessary, then filter to find (or maybe even add) the preference, and amend the preference value. See
- http://kb.mozillazine.org/Browser.sessionstore.privacy_level
(Linked article also mentions browser.sessionstore.privacy_level_deferred ) - http://kb.mozillazine.org/About:config
STANDARDS
I presume Firefox attempts to remain standards compliant, but standards evolve and real world practices also need to be considered. Bug 443354 c48 mentions
The standards /are/ changing. RFC 2109 from 1997 never quite matched actual behaviour which developed over time
It appears that comment is itself out of date as it seems standards are RFC2109 -> RFC2965 -> RFC6265 . Apparently current proposals are HTTP State Management Mechanism RFC 6265
An gyara
Thanks for your comments.
To the voting: 1. I just corrected in bug 401187 that rewording is no solution. What is needed is a fix in Firefox to delete cookies on quitting as requested by the users. So voting should now be for deleting cookies and not for the rewording.
2. I don't see why people shouldn't express that they care about this important privacy issue by commenting on it. Since this problem is still unfixed after 5 years (e.g. 4011787 was reported as early as Oct. 2007) I would rather conclude that not enough people have commented on it.
You you use "Show my windows and tabs from last time" then Firefox stores the cookies used in the tabs as part of the session data, so these won't get cleared.
You can set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore.
The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.
Yes, I think you understood the bug and the work around.
Lets see if there is any further action in that bug. I suspect it is effectively dead in the water and not going to get assigned or actioned. (I am still in favour of merely attempting to amend KB documentation)
I understand the general idea with bug reports is that most background discussion takes place elsewhere. Ideally the bug is a single and simple solution to a problem, or a request for a clearly specified enhancement.
I am not sure about this subject, and I will leave it to you to do any further research. If you are determined to try the bugzilla approach, you could read up on the related bugs and past decisions, and possibly the course of action may be to consider filing a new bug either
- asking for a new User Interface or preference option
- pointing out any recently changed draft proposals that Firefox may be in danger of not meeting unless it changes
A better option may be to find a suitable developers forum/mailing list and petition for some sort of change of direction and only then file a bug for an enhancement once you have supporters.
This forum is not even a good place for such a discussion, although cor-el's your own , and my post above do actually mention workarounds for the problem and that IMHO is valid content for this support forum.
If this thread drifts away from a problem and solution, and into arguments about Mozilla Firefox policies; I or someone else; may be likely to lock it as off topic for this support forum.
John, thanks for your comments.
I already filed a new bug report for the issue which is 794253 mentioned above. However, I don't have time for campaigns you mention above. I am just a user reporting a bug and the purpose of my report it in this forum is to help others who realize the same problem.
I also found many other questions about the same problem in this forum, however none were answered with a clear description of the problem nor a reference to a bug report nor a workaround.
I will leave the active bug a week or so to see if there is any activity, then I will see if anything can be done to improve our documentation. (Post back and remind me if you like).
I was aware of the situation with the saved tabs, but until I tried to look did not realise we do not seem to have clearly documented this. To my mind rewording of the options would suffice to make users aware of what they are opting for.
The problem is:
Users want Firefox to delete their cookies and they want Firefox to open the last pages they visited. It is an obvious and reasonable user request.
To make Firefox do something different and more sophisticated that most users won't need and that puts their privacy at risk behind their back is a very wrong thing to do.
This is not about rewording or documenting. This is about fixing a bug which originates from misconception in Firefox. If you read the bug reports again you should notice this. Instead of documenting a bug it should be fixed. And a web browser should be Intuitive and not need documentation.
Your title for this question is
- Firefox doesn't delete cookies on exit. When will it do?
That is a rhetorical question as each of the writers in this thread has shown awareness of the answer:
- Firefox already does that NOW, if you change settings and preferences suitably (or as I mentioned use PB).
I will reiterate, this forum is dedicated to solving simple and specific user problems with direct advice. It is not for discussion of the merits and finer details of bugs, unless that is to give direct user advice.
Neither is the forum for requesting Firefox changes or enhancements, or providing feedback on its features. Most Firefox developers will never even use or see this forum. Posting here does not help in a campaign for change or enhancement to firefox.
- Feedback: From a current version try http://input.mozilla.org/en-US/feedback
- You obviously are fully aware of bugs and bugzilla. The bugs you mention have extensive comments on this subject over several years, and include links to many related or duplicate bugs on the subject
This is starting to get repetitive & difficult to add anything constructive without straying outside of forum guidelines.
The forum has a fairly comprehensive associated Knowledge Base (KB) and whilst this is not really the place to discuss KB edits we could consider editing something to better cover advice available in this situation. Not much other help I can offer.
- Excuse me, but my question is not rhetorical. I just want to know when Firefox will be doing this.
- Firefox is not doing it right now, but only under very specific condition.
--
I have to reiterate that the purpose of my post is to inform people about this problem and show them a work around until the bug is fixed in Firefox. I understand you are defensive about Firefox but it won't make things better.
- Thanks for the feedback link. It looks interesting but it also looks like it won't help with informing other users. Anyways I will add a reference to this discussion.
- Of course I am aware of the problem. That's why I can post a work around here.
Nothing more needs to be added. I think everything has been said and is documented now for the Firefox community.
--
Thank you anyways. It was good discussing with you and you added some interesting links regarding Firefox.
Hi Frank,
Further to your PM. Mozillazine is certainly somewhere to consider posting about Firefox, although note it is not directly connected to Mozilla. Possibly the Mozillazine forum to try would be Web Development / Standards Evangelism
The Mozilla forums/mailinglists presumably already have had discussions about this subject. They are somewhere with the possibility of attracting developer's attention, but I have no idea which forum would be best to post in although I can provide a link to the listings: http://www.mozilla.org/about/forums/
Cheers, John
You can achieve what you want by changing prefs.
This is not really a workaround, but you have a different opinion about this than the Firefox developers and this default behavior won't get changed in future Firefox versions.
This is only a problem if you reopen pages via session restore automatically, so either close the tabs before closing Firefox or disable saving cookies in sessionstore.js via the pref or access those pages in Private Browsing mode.
Cor-el, you have to distinguish between an opinion and an error. As you can read about this is an error and so we have a bug. There is no room for opinions in this case.
As you can read above as well I know how to work about the problem and here I document it for those looking for a solution.
1. All you have to do is go on whatever internet page you dont want Firefox to remember your cookies & click on the little 'Lock Icon' - This is located on the left of the address bar (Were You Type WWW) - Once you do that a 'Mini Tab' will pop up 2. Click on the button that says 'More Information' 3. Click on 'Permissions' on the top left corner 4. Under 'Set Cookies' un-check 'Use Default' 5. Now 'Block' or 'Allow for Session'. I advice you clear all History, Cache, Etc after you do this & repeat this process when you are on a site you don't want Firefox to remember. Enjoy -Your Brother From The Stars.. Udrokoos! ^.^ .
An gyara
Thanks Udrokoos but this is not a solution for the problem described here and in the bug reports, first of all, because it doesn't involve these additional settings.
cor-el, where is the "Show my windows and tabs from last time" preference?
I can't delete cookies manually, either, and I've deleted cookies.sqlite many times. They appear to be cleared, but reappear within minutes.
You can find the startup setting here:
- Tools > Options > General > Startup: When Firefox Starts: Show my windows and tabs from last time
Instead of Tools > Options use:
- Mac: Firefox > Preferences
- Linux: Edit > Preferences
- Windows: Firefox menu button > Options
You may have installed an extension like TACO (Abine) or Do Not Track Plus that maintains a set of OPT-OUT cookies if you can't remove some cookies permanently.
In that case you need to uninstall the extension to remove those opt-out cookies.
- Do Not Track Plus: https://addons.mozilla.org/firefox/addon/donottrackplus/
Start Firefox in Safe Mode to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
- Do NOT click the Reset button on the Safe mode start window or otherwise make changes.