We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

I am seeing a few persistent cookies that remain after a session has been closed.

  • 4 replies
  • 1 has this problem
  • 2 views
  • Last reply by bolcrom

more options

I have set my privacy settings to :

-Always accept cookies from sites (including third party)

-Keep cookies until "I close firefox"

-Clear history when firefox closes (checking all item in "Settings for Clearing History" except for "Saved Passwords")

-I do not maintain any list of Exceptions

To the best of my knowledge, this has been working perfectly for a long time now. Earlier today, though, I used CCleaner to examine the cookies on my system. All of my browser sessions were closed in all of my browsers (FF, Chrome, IE, Edge). Therefore, I was surprised to find a few cookies attributed to firefox in the cookies console. They represented no more than four or five domains and I didn't think much of it as I attributed it to possibly an artifact of my recent upgrade to Windows 10. I deleted said cookies. However, out of curiosity, I later visited one of the domains represented - mega.nz - and toyed around for a minute. The site offers registration free uploads from its start page. I uploaded a small junk file and then navigated away from the page to news.google.com. Then I closed the entire firefox session and took a look at the cookie console in CCleaner. Once again, mega.nz 's cookie persisted through the closed session. For comparison, no other cookies from that particular session across several domains were still there.

Now, I wish that I had paid better attention to the persistent cookies that I deleted earlier in the day to better contribute to this knowledgebase. Other than mega.nz, I can only be sure that bostonglobe.com also leaves a persistent cookie. So, it seems that there is a type of non-flash cookie that now persists across Firefox sessions. I invite you to please replicate my observations and confirm them for yourselves. It's my hope that Firefox developers will see this and plug this serious privacy breach. Respect for user privacy has meant everything to me in my continual loyalty to Firefox.

I have set my privacy settings to : -Always accept cookies from sites (including third party) -Keep cookies until "I close firefox" -Clear history when firefox closes (checking all item in "Settings for Clearing History" except for "Saved Passwords") -I do not maintain any list of Exceptions To the best of my knowledge, this has been working perfectly for a long time now. Earlier today, though, I used CCleaner to examine the cookies on my system. All of my browser sessions were closed in all of my browsers (FF, Chrome, IE, Edge). Therefore, I was surprised to find a few cookies attributed to firefox in the cookies console. They represented no more than four or five domains and I didn't think much of it as I attributed it to possibly an artifact of my recent upgrade to Windows 10. I deleted said cookies. However, out of curiosity, I later visited one of the domains represented - mega.nz - and toyed around for a minute. The site offers registration free uploads from its start page. I uploaded a small junk file and then navigated away from the page to news.google.com. Then I closed the entire firefox session and took a look at the cookie console in CCleaner. Once again, mega.nz 's cookie persisted through the closed session. For comparison, no other cookies from that particular session across several domains were still there. Now, I wish that I had paid better attention to the persistent cookies that I deleted earlier in the day to better contribute to this knowledgebase. Other than mega.nz, I can only be sure that bostonglobe.com also leaves a persistent cookie. So, it seems that there is a type of non-flash cookie that now persists across Firefox sessions. I invite you to please replicate my observations and confirm them for yourselves. It's my hope that Firefox developers will see this and plug this serious privacy breach. Respect for user privacy has meant everything to me in my continual loyalty to Firefox.

Modified by bolcrom

All Replies (4)

more options

bolcrom said

I have set my privacy settings to :
-Always accept cookies from sites (including third party)
-Keep cookies until "I close firefox"
-Clear history when firefox closes (checking all item in "Settings for Clearing History" except for "Saved Passwords")

I believe the way it is supposed to work is as follows:

  • With Keep cookies until "I close Firefox" (and no exceptions) any local storage items collected during your session should be expired/removed at the end of your session.
  • With Clear history when Firefox closes including cookies, any local storage items in the browser should be cleared.

What does CCleaner show is the actual content of the local storage for any sites persisting after you exit Firefox?

more options

It look as though there are some open "bugs" relating to clearing of local storage.

Regarding the setting of cookies expiring at the end of the session:

Bug 886832 – localstorage not deleted when closed even though "[Privacy - Cookies] Keep until I close Firefox" is enabled.

Regarding clearing cookies using the shutdown cleaning, that should remove the stored data. It might not remove the folder or database.

more options

I've included the cookie, sqlite, idb, etc. files remaining on my drive after entire closing a session. I visited bostonglobe.com and mega.nz. I uploaded a small test file on the latter site. I believe the larger chunks (in KB) you see in the attached png are the locally encrypted parts of that file as it was disassembled before being transferred to Mega.

Also, note that the actual cookies for the sites have been "deleted" according to the output in the Ccleaner console. I believe that while the content of the cookie which includes the alphanumeric identifier has been scraped at the session's close, the "shell" of the cookie indicating that you've visited the sites remains.

Thanks for pointing me to the open bug. I don't think it's out of turn to note that that bug has now been open for two years. Mozilla provides us a great free service, but the quality of that service has always hinged on mozilla's unchallenged concern for user privacy. A flaw of this nature nearly breaks that contract for me.

Modified by bolcrom

more options

It's worth noting that Twitter has now started using these super cookies.