SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Dec 2007
    0 Post(s)
    0 Thread(s)

    Firefox 3.0.5 not deleting session/transient cookie on browser close

    Hi all, I've found something I think is a bit interesting, wondering if anyone has any insight on the following.

    I have a log in/private section where a cookie is set upon successful login credentials. I also have a "remember me" option so the user won't have to log back in if they revisit before the cookie expires.

    I'm setting my session cookie to expire on browser close (which seems to work fine for browsers other than Firefox) as follows:

    setcookie('access'); //transient cookie, expires when browser closes
    My cookie for my "remember me" option is as follows:

         setcookie('access', md5(uniqid(rand())), time()+60); //EXPIRES IN ONE SECOND FOR TESTING
    The login page checks for the cookie, if it isn't set, it redirects the user.

    With the "remember me" option checked on login, you can refresh the protected page for 1 minute (then the cookie expires). After that, you're redirected. This works fine.

    Without the "remember me" option, if I quit/relaunch Firefox, the cookie persists. If I view the cookie information, it says:

    Expires: At End Of Session

    To get it to work in Firefox, I have to close that browser tab, then quit/relaunch Firefox, then try to access my protected page directly via url (in which case I'm redirected).

    If I quit Firefox with the protected page tab open, then relaunch, Firefox appears to not delete session cookies. Have other people experienced this and is this expected behavior in Firefox?

    My Firefox Cookies settings are:

    * Accept cookies from sites
    * Accept third-party cookies
    * Keep until: they expire

    I think these are the default settings, I don't think I've changed them, but can't be 100% sure.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    West Springfield, Massachusetts
    198 Post(s)
    3 Thread(s)
    I don't have Firefox 3, but AFAIK if the browser is closed with any tabs open when the browsers is started again those sessions are "restored". Therefore, until the tab is closed there is no "End of Session". Although there may be an option at start-up for either "restore" or "new".

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Sydney, NSW, Australia
    25 Post(s)
    1 Thread(s)
    I have had sessions restart when restoring a prior Firefox session. Firefox only gives the option to save the currently open tabs (and their associated session cookies) if you have more than one tab open at the time of closing the browser so as long as you close all but one of the tabs before closing the browser or answer no to saving the session when closing the browser with more than one tab open then the session will be closed. If you answer yes to saving the session then Firefox will obey you and save it. If there is one saved then when you next open Firefox it will ask if you want to restore what was saved or delete it and start from your default setup.
    Stephen J Chapman, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Member
    Join Date
    Apr 2009
    0 Post(s)
    0 Thread(s)
    Quote Originally Posted by magenta placenta View Post
    If I quit Firefox with the protected page tab open, then relaunch, Firefox appears to not delete session cookies. Have other people experienced this and is this expected behavior in Firefox?
    Yes, I've just discovered it while developing a Rails app, and I found it highly surprising. It seems to be commonly understood that cookies without an expiry date are stored only in RAM, and therefore are lost when the browser quits. For example, Wikipedia page HTTP_cookie#Cookie_attributes says:

    "If no expiration date is provided, the cookie is deleted at the end of the user session, that is, when the user quits the browser. As a result, specifying an expiration date is a means for making cookies survive across browser sessions. For this reason, cookies that have an expiration date are called persistent."

    The nearest I could find to an authoritative reference was RFC 2109, which says that if the incoming request does not have a Max-Age attribute, then "The default behavior is to discard the cookie when the user agent exits"

    It seems that Firefox has changed this default such that these cookies are in fact persisted to disk.

    I can't see a way to get the normal behaviour in Firefox. I could select "keep until: I close Firefox", but I imagine that will purge all cookies, not just ones which expire at the end of the session.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts