What's the difference between ALLOW and ALLOW for a SESSION?
Under EXCEPTIONS I had to ALLOW certain websites. Then I decided to experiment and see what ALLOWED for SESSION really does.
Neither the entries for websites I allowed for a session were deleted from the list of exceptions, nor the cookies saved by these websites were deleted even when I closed the browser.
I do not see the difference in terms of what happens between selecting Allow vs. Allow for session.
Could someone who knows please explain or point me to the place that explains the difference and how this works?
Thanks.
Asịsa ahọpụtara
Hi Sue, until recent years, people giving us cookies was always a good thing. But I digress.
Yes, when I test with lifetimePolicy = 2, the cookies do not come back.
When you say the preference change doesn't stick, how soon does it it change back?
Another way to make the change would be to temporarily change your Tracking Protection setting from blocking All cookies to a lesser level of blocking. Then check the box to clear cookies when Firefox closes. Then change your Tracking Protection setting back again. The box will be grayed out but still should show as checked.
That sticks on mine. (I don't use any add-ons that affect cookies or cookie settings, in case that is a factor.)
Gụọ azịza a na nghọta 👍 0All Replies (20)
Did you close the tabs for these website because otherwise the cookies for these websites are stored as part of session data in sessionstore.jsonlz4 and restored on the next start (i.e. the session isn't really ended) ?
Thanks for getting back to me. With the additional info I will monitor and see what happens.
Based on what you mentioned, I understand that when I close a tab, the session is closed and all cookies associated with that website will be deleted.
Will 3rd part cookies, anything else stored in conjunction with that website be also deleted? Is the cache also deleted when the session is closed?
It seems that setting up every website for a session only (vs. ALLOW) provides more "protection" with minimum drawbacks. Is that correct?
Thanks.
Yesterday, as advised, I cleared the cookies and then I went to one of the websites that is setup for "Allow for session" (for cookies). I checked and there were 2 cookies stored by it. Then I closed the tab for that website.
This morning, I refreshed the Preferences tab and as I previously reported, the 2 cookies stored yesterday by that website were still there. So I still do not understand when the session is supposed to end and what's supposed to be deleted from where, when that supposedly happens.
Can someone explain how this is assumed to work (vs. how it works)?
BTW, I am still using Safari for accessing the support website as nobody got back to me with a fix for the 500 error that I encountered (other than disabling the block, which defeats the purpose of custom settings), reported in a different thread.
Is there a way to get help from developers, from those who know how security and privacy works? Am I the only one experiencing and reporting these problems?
Thanks.
Hi Sue, you mentioned closing the tab and checking the next morning, but did you Quit and then start Firefox up fresh in between? Firefox on Mac may remain "in session" (running without open windows) and retain session cookies until you use either:
- "3-bar" menu button > Quit
- (menu bar) Firefox > Quit
(That is different from Windows, where closing the last Firefox window exits Firefox completely. I use and test on Windows.)
More generally, the permissions in the Exceptions dialog work together with the setting "Delete cookies and site data when Firefox is closed" which you see to the left of it. If you only want a handful of sites to be able to set persistent cookies, you won't need to manually create "Allow for Session" permissions.
(1) Scenario One (default)
[_] Delete cookies and site data when Firefox is closed (not checked)
Firefox saves cookies as long as sites request.
(2) Scenario Two
[X] Delete cookies and site data when Firefox is closed (checked)
Firefox shortens cookie expiration to session only unless the site has an ALLOW permission in the exceptions list.
Edeziri
Thanks for your reply.
Now that you clarified that closing the tab is not good enough, I quit Firefox. After I restarted it, the 2 cookies from the website I used yesterday (not today) are still there....
I CANNOT check "Delete cookies and site data when Firefox is closed" because it is grayed out...... I have no idea why.
This is really easy to replicate. Does this work for everybody else except me? Thanks.
Sue said
I CANNOT check "Delete cookies and site data when Firefox is closed" because it is grayed out...... I have no idea why.
That is strange. Does Firefox give a reason for that? One known reason is if your Firefox uses automatic private browsing mode, in which case it will be checked and have an explanation:
That is set through the History section of the page, using either:
- Firefox will: Never remember history
- Firefox will: Use custom settings for history + [X] "Always use private browsing mode"
In automatic private browsing mode, Firefox doesn't store new cookies or history to disk. What you see in dialogs may be left over from non-private sessions and in a sort of "read only" state.
But if yours is unchecked and cannot be checked, perhaps there is a policy or preference lock in place. Could you check:
Policies
Type or paste about:policies in the address bar and press Return to open that internal page. Are there any Active policies listed?
Preference Status
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste cookie and pause while the list is filtered
See corrected version here.
The checkbox corresponds to network.cookie.lifetimePolicy. I only found one configuration that grays out the box, but if this preference is in italics or indicates it is locked, that is a different situation. In my experiments:
4 => accept all cookies EXCEPT Cross-site and social media trackers [default]
- Standard or Strict Tracking Protection, or Custom Tracking Protection with Cross-site and social media trackers selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
3 => accept all cookies EXCEPT Cookies from unvisited sites
- Custom Tracking Protection with Cookies from unvisited sites selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
2 => accept cookies for session only OR block all cookies
With Custom Tracking Protection set to block all cookies:
- [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
Otherwise:
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
1 => accept all cookies EXCEPT third-party cookies
- Custom Tracking Protection with All third-party cookies selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
0 => accept all cookies
- Custom Tracking Protection with cookie blocking unchecked
[_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
NOTE: It's not a good idea to set network.cookie.lifetimePolicy manually because this may get out of sync with tracking protection preferences that Firefox is also changing simultaneously when you use the Preferences page.
Edeziri
Thanks a lot for not giving up on me, particularly on a Sunday.
I do NOT use and never used private windows in Firefox.
Policies: "The Enterprise Policies service is inactive." network.cookie.lifetimePolicy = 0, which means accept all cookies.......
This is really confusing. I am attaching again a screen capture of my custom choices, which are for blocking all cookies in all windows. I do have exceptions saved for ALLOW, ALLOW for SESSION and some for BLOCK. I also included a screen capture of the grayed out ""Delete cookies and site data when Firefox is closed" checkbox.
If I am the only person with these problems, then something very strange is happening on my end. I do not know what I might be doing incorrectly....
You block all the cookies, so there are no cookies to delete at the end of the session.
- Block: Cookies --> All cookies (will causes websites to break)
2 => accept cookies for session only OR block all cookies With Custom Tracking Protection set to block all cookies: [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
Thanks. As I mentioned, I have EXCEPTIONS set to Allow or Allow for session. So those websites save cookies. In addition, as I mentioned, with a screen capture, in one of the other post, as soon as I restart Firefox, some cookies that I cannot relate to are also saved and showing up in the list. I started Blocking them as Custom blocking doesn't seem to deter them. So this is why I am deleting cookies when I am testing something, just to be sure that everything is clean.
I am attaching a screen capture that I see following the instructions provided by jscher2000 for preference status for cookies.
As you can see, network.cookie.lifetimePolicy is not 2, but 0, despite the fact that I CUSTOM set blocking for all cookies (except for those defined in the Exceptions list).......
If you were to try to replicate what I am doing (with the latest version of Firefox) would you see something else?
What am I doing incorrectly?
I can confirm after quite a few rounds of testing that when blocking is set for All cookies in all Windows (not private ones) and one Allows cookies for a session from a website, those cookies are never deleted. The website was closed before I quit Firefox. The cookies stayed there.
I am sure that this is easy to replicate.
Can someone please explain how is this supposed to work? What is the difference between Allow and Allow for session, my initial question?
Also I'd appreciate an answer to the prior question about what's in the Preference Status/Config for cookies:
network.cookie.lifetimePolicy is not 2, but 0, despite the fact that I CUSTOM set blocking for all cookies (except for those defined in the Exceptions list)..
Thanks.
Edeziri
I think I messed up my previous summary quite badly by using the wrong preference name. Let me try again.
(1) Default Level of Cookie Blocking
- Standard or Strict Tracking Protection, or Custom Tracking Protection with Cross-site and social media trackers selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
about:config settings:
- network.cookie.cookieBehavior => 4
- network.cookie.lifetimePolicy => 0
(1A) Default + Session cookies only
- Standard or Strict Tracking Protection, or Custom Tracking Protection with Cross-site and social media trackers selected for cookie blocking
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
about:config settings:
- network.cookie.cookieBehavior => 4
- network.cookie.lifetimePolicy => 2
(2) Block third party cookies from unvisited sites
- Custom Tracking Protection with Cookies from unvisited sites selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
about:config settings:
- network.cookie.cookieBehavior => 3
- network.cookie.lifetimePolicy => 0
(2A) Block third party cookies from unvisited sites + Session cookies only
- Custom Tracking Protection with Cookies from unvisited sites selected for cookie blocking
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
about:config settings:
- network.cookie.cookieBehavior => 3
- network.cookie.lifetimePolicy => 2
(3) Block all third party cookies
- Custom Tracking Protection with All third-party cookies selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
about:config settings:
- network.cookie.cookieBehavior => 1
- network.cookie.lifetimePolicy => 0
(3A) Block all third party cookies + Session cookies only
- Custom Tracking Protection with All third-party cookies selected for cookie blocking
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
about:config settings:
- network.cookie.cookieBehavior => 1
- network.cookie.lifetimePolicy => 2
(4) Block all cookies
- Custom Tracking Protection with All cookies selected for cookie blocking
- [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
about:config settings:
- network.cookie.cookieBehavior => 2
- network.cookie.lifetimePolicy => 0 [default] or 2 [if previously used session only]
(5) Don't block any cookies
- Custom Tracking Protection with cookie blocking unchecked
- [_] Delete cookies and site data when Firefox is closed (unchecked, checkable)
about:config settings:
- network.cookie.cookieBehavior => 0
- network.cookie.lifetimePolicy => 0
(5A) Don't block any cookies + Session cookies only
- Custom Tracking Protection with cookie blocking unchecked
- [X] Delete cookies and site data when Firefox is closed (checked, uncheckable)
about:config settings:
- network.cookie.cookieBehavior => 0
- network.cookie.lifetimePolicy => 2
Since you are using #4, the only cookies in your Firefox should be ones that have either Allow or Allow for Session permission. At startup, the only ones remaining should be the ones with Allow permission. To check whether a cookie is persistent or session only, you need to use the Storage Inspector while you are on a page from the site (Shift+F9). If the Expires/Max-Age column is not displayed, right-click another column to open the column chooser list and click it there. Session-only cookies will say Session, while persistent cookies have a date/time.
Thank you.
I am confirming that under #4 I do see:
Custom Tracking Protection with All cookies selected for cookie blocking [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
However, when I quit and then restart Firefox, the ones that have Session only permission are NOT removed.
Here is what I did, using the AAII.com website (Allow for session) for testing: - checked using your instructions the Expiration for this website w. Storage Inspector. It does show SESSION for all cookies for this website. - refreshed the Preferences tab - captured all cookies displayed by Manage Data (attached) - logged off the AAII website, closed the tab, refreshed Preferences, checked cookies in Manage Data - no change - quit Firefox - restarted Firefox - checked Manage Data; the list of cookies did not change (those saved by AAII are still there). The only thing that changed is the Last Used time stamp. Captured this and attached it. - logged again into AAII and checked what's under the Shield - Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? - Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? - Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
CONCLUSION: session cookies are NOT removed Questions: - what's blocked out of what's shown in the SHIELD (see above and screen captures) - does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
Thank you.
Test. I posted my reply and AGAIN (for the second time today) I cannot see it even after refreshing the tab. This time I saved it before posting. I do not know what causes this problem. Another really bad bug....
I will try again.
Thank you.
I am confirming that under #4 I do see:
Custom Tracking Protection with All cookies selected for cookie blocking [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
However, when I quit and then restart Firefox, the ones that have Session only permission are NOT removed.
Here is what I did, using the AAII.com website (Allow for session) for testing: - checked using your instructions the Expiration for this website w. Storage Inspector. It does show SESSION for all cookies for this website. - refreshed the Preferences tab - captured all cookies displayed by Manage Data (attached) - logged off the AAII website, closed the tab, refreshed Preferences, checked cookies in Manage Data - no change - quit Firefox - restarted Firefox - checked Manage Data; the list of cookies did not change (those saved by AAII are still there). The only thing that changed is the Last Used time stamp. Captured this and attached it. - logged again into AAII and checked what's under the Shield - Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? - Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? - Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
CONCLUSION: session cookies are NOT removed Questions: - what's blocked out of what's shown in the SHIELD (see above and screen captures) - does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
Thank you.
I cannot post my reply after trying again.
Is there any limit on anything (text, attachments), problems with "special" characters, etc?
I will try to post the test first and then separately the attachments. Really annoying and frustrating....
Thank you.
TEXT ONLY
I am confirming that under #4 I do see:
Custom Tracking Protection with All cookies selected for cookie blocking [_] Delete cookies and site data when Firefox is closed (unchecked, grayed out)
However, when I quit and then restart Firefox, the ones that have Session only permission are NOT removed.
Here is what I did, using the AAII.com website (Allow for session) for testing: - checked using your instructions the Expiration for this website w. Storage Inspector. It does show SESSION for all cookies for this website. - refreshed the Preferences tab - captured all cookies displayed by Manage Data (attached) - logged off the AAII website, closed the tab, refreshed Preferences, checked cookies in Manage Data - no change - quit Firefox - restarted Firefox - checked Manage Data; the list of cookies did not change (those saved by AAII are still there). The only thing that changed is the Last Used time stamp. Captured this and attached it. - logged again into AAII and checked what's under the Shield - Social Media Trackers (listed as blocked) shows https://connect.facebook.net - ARE THEY BLOCKED??? - Cookies show 2 lists, screen capture attached - ARE THESE BLOCKED??? - Tracking Content shows another list, screen capture attached - ARE THESE BLOCKED???
CONCLUSION: session cookies are NOT removed Questions: - what's blocked out of what's shown in the SHIELD (see above and screen captures) - does the AAII website programmers code permissions for the social media trackers and everything else listed in the Shield?
Thank you.
Tried text only, but it is not posted.... I will split the text in 2 parts.
TEXT PART 1
Thank you.
I am confirming that under #4 I do see:
Custom Tracking Protection with All cookies selected for cookie blocking Delete cookies and site data when Firefox is closed (unchecked, grayed out)
However, when I quit and then restart Firefox, the ones that have Session only permission are NOT removed.
Here is what I did, using the AAII.com website (Allow for session) for testing: - checked using your instructions the Expiration for this website w. Storage Inspector. It does show SESSION for all cookies for this website. - refreshed the Preferences tab - captured all cookies displayed by Manage Data (attached) - logged off the AAII website, closed the tab, refreshed Preferences, checked cookies in Manage Data - no change - quit Firefox - restarted Firefox
Splitting the text in two (no attachments) didn't help. We are talking about 11 lines.....
I do not know what else to do, this is kind of beyond belief. Maybe someone can provide some guidance.
Not a good experience. I am happy to send the message to an email, if there is one.
The CONCLUSION is the session cookies (proven as such) are not deleted after closing the tab and quitting Firefox.
Maybe the attachments go out and speak for themselves: They represent Manage Data after I logged into AAII and then after I closed the tab, quit and restarted Firefox. The other two are captures of what the Shield displays. I have some follow-up questions but I will keep it short here, just to make sure that I can post.