[GLLUG] Firefox Cookie Control

Charles Ulrich charles at bityard.net
Sun May 31 17:10:03 EDT 2015 

There are quite possibly a number of things going on here, but I don't 
think any website has the ability to tell a browser to override the 
user's cookie preferences.

The first is the distinction between session cookies and regular 
cookies. Cookies which have an expiration date attached to them are 
regular cookies. Cookies which do not are session cookies. Session 
cookies are supposed to be cleared from the browser when it is closed, 
but this doesn't always happen. (I don't see a ways to control how long 
normal cookies live before they expire, beyond nagging you every single 
time a site wants to set one.)

For instance, I have my Firefox set up to treat all cookies as session 
cookies except the ones from sites I manually add to a whitelist. But 
when I close and reopen Firefox, I still have a bunch of cookies in my, 
er, cookie jar. This is because I have "Show my windows and tabs from 
last time" selected in the General Preferences. I make heavy use of tabs 
and tab groups in Firefox, so it keeps the session cookies around for 
those sites which I keep opened in tabs in the background. For those 
sites, it effectively means my "session" never ends, even when I close 
Firefox and shut down my computer.

Another (more likely) possibility is that Google and Yahoo are set up as 
search engines in your Firefox and when Firefox starts, it makes a query 
to those sites to get their favicon or whatever, and you get cookies as 
a side-effect of that request. You can probably remove these from your 
search engines if you don't want the cookies. (Don't ask me how in FF 
31, they keep changing the UI for this...)

There are gazillions of cookie management addons for FF, one that I used 
for a while is called "Self-Destructing Cookies" which removed cookies 
from the cookie jar after a set time. I seem to remember it didn't work 
very well.

It looks to me like you can add specific domains to the cookie 
exceptions list and set their status to "block".

Just some random thoughts.

Thanks,
Charles


On 05/31/2015 10:07 AM, Chick Tower wrote:
> I just discovered something slightly disturbing.  I usually use Firefox
> at on desktop PCs, and Slackware is only up to version 31.7.0esr.  I
> like to keep a tight rein on what cookies are set, with very few that
> aren't erased at the end of the session, if not blocked from the start.
>   However, I've noticed that sometimes after closing Firefox to erase
> those session cookies they are still there in a new session.  When I
> check the cookie exceptions that are set, some say "Allow first party
> only". I've never selected that, it's not even an option offered, and
> I've deleted or changed those exceptions, but they keep coming back.  It
> appears Yahoo! and Google know how to change the exceptions I put in
> Firefox!  There may be other websites that do this, but I haven't
> noticed any of the others I visit doing it.  At least they change them
> to "Allow first party only" and don't enable third-party cookies, but it
> still galls me that they're controlling my browser settings.
>
> It bothers me that I can't block or make temporary cookies from
> accounts.google.com or ads.yahoo.com.  Other domains from Google and
> Yahoo! also do this, but they aren't as simple to remember and type as
> these two are.  I know I can delete them manually, which isn't
> difficult, but it's still annoying.  I don't want to block or erase all
> cookies, because some are useful (like the TV schedule), and some sites
> won't allow you to go forward without setting cookies.  It may be that
> Google and Yahoo! can ignore those settings, too.  I haven't tried any
> of the cookie-managing add-ons.  I do use Privoxy, so I could probably
> create some new rules or entries to stop this, and I suspect that would
> work since it's not part of any browser.  I'm not interested at this
> time in using another browser, and other common browsers might be
> similarly vulnerable, anyway.
>
> Does anyone know of a setting or an add-on or a hack in about:config
> that will stop this behavior?  Has anyone else noticed it?  I searched
> on DuckDuckGo for "Allow first party only" and didn't find anything useful.

More information about the linux-user mailing list