tags:

views:

2846

answers:

4
+7  Q: 

Firefox session cookies

Generally speaking, when given a cookie that has no expiration period, modern browsers will consider this cookie to be a 'session cookie', they will remove the cookie at the end of the browsing session (generally when the browser instance closes).

IE, Opera, Safari and Chrome all support this behavior.

However firefox (3.0.9 latest proper release) appears not to follow this rule, from what I can tell it doesn't expire the cookies when the browser is closed, or when the user logs off or restarts the OS..

So, why does firefox refer to these as session cookies, when they last aparently indefinitely?

Does anyone know how Firefox handles session cookie expiration?

+1  A: 

This should work. I used to be one of the cookie module testers, and I don't think there is any design reason this would behave differently (although if you crash, the session cookies might be designed to live on when you restart...)

Are you viewing the cookies in the "Preferences" menu > "Privacy" Tab > "Show Cookies..." button?

Also, have you tried a new profile?

benc  2009-04-29 16:30:55
Very strange, I'm relatively happy if this is just a bug with the two systems I tested it on.. I've viewed the cookies and they survive anything.. and they are absolutely being classified as session cookies by firefox.. the only options I ever change in firefox is to turn javascript off and on.. my installed plugins are firebug and the web developer toolbar.. ah well- cheers anyway.
meandmycode  2009-04-29 21:12:24
There are also a variety of cookie module preferences, but I don't recall any of them having this kind of functionality. FF3 did switch from a text file to a cookie database, maybe your database has mis-behaved.
benc  2009-05-01 16:36:42
+2  A: 

Two ideas :

  1. You have a problem with your session manager (the one included in FF3 or one included in an extension, like tabmixplus)
  2. Use Firebug + FireCookie (https://addons.mozilla.org/en-US/firefox/addon/6683) to debug !
Tomap  2009-04-29 16:35:29
+13  A: 

This is apparently by design. Check out this Bugzilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=443354

Firefox has a feature where you close Firefox and it offers to save all your tabs, and then you restore the browser and those tabs come back. That's called session restore. What I didn't realize is that it'll also restore all the session cookies for those pages too! It treats it like you had never closed the browser.

This makes sense in the sense that if your browser crashed you get right back to where you were, but is a little disconcerting for web devs used to session cookies getting cleared. I've got some old session cookies from months ago that were set by sites I always have open in tabs.

To test this out, close all the tabs in your browser, then close the browser and restart it. I think the session cookies for your site should clear in that case. Otherwise you'd have to turn off session restore.

BRH  2009-07-04 21:40:01
I find this behavior quite questionable, thanks for your research. If "Save and Quit" is selected or "Restore tabs and windows", upon closing the browser, all session cookies remain intact.The only way for the "user" to get rid of them is to first close the tab(s) and *then* close the browser.
mark  2009-08-17 14:08:07
Did you ever find a workaround? I really don't want Firefox to dig up old sessions as I need the session ID in my app to be unique.
ArjanP  2010-03-09 03:52:35
Sorry, I don't know of a workaround. From your app's perspective, their browser never closed.
BRH  2010-03-12 07:25:59
I've noted some of the implications of this (IMO ill-advised) decision: http://mrclay.org/index.php/2010/05/02/uh-oh-firefoxs-unique-session-cookie-behavior/
mrclay  2010-05-02 07:08:52
I got bitten by this behavior today, too. I thought there were something wrong with my app. Then I tested Chrome, and other browsers, then figured out firefox is the culprit.
Dingle  2010-05-06 00:52:52
A: 

If firefox didn't crash, they wouldn't need this "Feature"

Mariusz  2010-03-26 04:49:55

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?