Configure Firefox to accept third-party cookies for the session only
Third-party cookies are still widely used on today's Internet to track users across browsing sessions and sites they visit. While the reach of the tracking depends on the popularity of a service -- it needs to be implemented in as many sites as possible -- it is fair to say that if you allow third-party cookies to roam freely you will be tracked.
Firefox exposes only some of its cookie options in the browser options. You can block third-party cookies entirely or allow them only for sites you visited in the past.
There is also an option to clear all cookies on exit of the browser and to add exceptions to keep some around which is useful for cookies that track authentication sessions.
If you dig deeper into Firefox's options you may notice that the browser supports a bunch of cookie options that are not exposed to users in the UI.
One of these options cleans third-party cookies automatically on browser exit. The core difference to Firefox's options is that it won't touch first-party cookies set in the browser.
Here is how you configure the option:
- Load about:config in the Firefox address bar and hit the Enter-key to load the advanced configuration page in the browser.
- Confirm that you will be careful if the warning is displayed.
- Search for network.cookie.thirdparty.sessionOnly
- Double-click the preference.
The preference knows two states: true or false. The default state is false which means that Firefox won't handle third-party cookies any different than first-party cookies in the browser.
If you set the preference to true, however, Firefox will delete any third-party cookie set in the browser when you close it.
Deleting third-party cookies automatically limits tracking to browsing sessions. The option is much better than not allowing third-party cookies at all, as it may interfere with certain web services that require these cookies.
My suggestion is to allow third-party cookies only for visited sites and configure Firefox to delete them all when you close the browser. You may still add exceptions to that if you run into sites that require third-party cookies or don't work correctly for whatever reason.
You could also experiment with blocking third-party cookies entirely and see how that works out for you.
In case you are wondering, the primary cookie handling preference is network.cookie.cookieBehavior which you can set to 0: always, 1: only from originating server, 2: no cookies, 3: third-party cookies only from visited sites.
There is also network.cookie.lifetimePolicy which defines when cookies get deleted. Supported values are 0: supplied by server, 1: user is prompted, 2: expires with session, 3: lasts for specified number of days specified in network.cookie.lifetime.days.
Now You: How do you handle cookies in your browser of choice?
Related articles
- A look at Firefox's Forget Me Not cookies extension
- How to deal with Firefox extensions that require cookies
- How to enable First-Party Isolation in Firefox
- Mozilla publishes Firefox Multi-Account Container add-on
- What is Firefox Pioneer?
Hi Tom
First of all a big “thank you” for your reply, your efforts to explain and to elaborate on your proposed solution. The bad news is that it does not work. Below I go through my doings so you can see for yourself and compare it to your own findings; I presume you tested your solution before you gave it to me. Right?
Here we go with FF60 on W7, FF is installed on the C-Drive.
FIRST PASS
Step # 1
As a first step I clean the FF by
1.) Shut down the Internet connection
1.) Go to HISTORY
2.) Set “Remember” History
3.) Clear All History (all boxes checked) and Time range to clear “Everything”.
Now all “contamination” and “artifacts” in FF are gone
Step # 2
I make the following settings in COOKIES and SITE DATA:
1.) “Your stored cookies, site data and cache are currently using 0 bytes of disk space”. All Data is cleared.
2.) “Accept cookies and Site Data from websites (recommended)” is checked. No exceptions
3.) Keep until “I close FF”
4.) “Accept third-party cookies and site data”: ALWAYS
Step # 3
I power up the Internet connection and my home page shows up https://www.google.nl/
Step # 4
I go back to COOKIES and SITE DATA and I click MANAGE DATA to see what cookies are set.
The site “google.com” has set 1 cookie
The site “google.nl” has set 3 cookies
Step # 5
I disconnect (shut down) the Internet connection
I exit FF
Step # 6
I start FF
There are no cookies. Now I know that the basics are working OK
SECOND PASS
Exactly as the First Pass with the addtion of
Step # 3A as follows
Go to Favicon in the urlbar, then click on the right arrow, then click on ‘More Information’
In PERMISSIONS -> Set Cookies: I uncheck “Use Default” and I check “ALLOW”
In Step # 4 I find the very same cookies.
I do Step # 5
I do Step # 6 Now I see that there are NO COOKIES however I expected that Step # 3A would preserve (save or rescue) those cookies while closing and starting FF.
Using my test approach I must conclude that the proposed solution does not work.
While executing my test procedure it is essential to disconnect the Internet connection as stated to ensure the Google can not set cookies; leaving the Internet connection ON makes the test “nonconclusive” because Google can set these 4 cookies beyond your control.
I look foreward to hearing from you, regards, Jan
I am getting “sick and tired” about the cookies’ rules, the settings, the explanations and never ending changes in the browsers. I seemingly can not right. And am I the stupid user?
When I read the above comments from people who are surely much smarter than I am I am convinced that it is a mess all over the place; misconceptions, misunderstandings and sometimes wrong informations.
The thing does not get cleaned up because that would close the loopholes I guess.
Yes, you understood it well: I am pissed about the way cookies are handles in FF.
@Jan, getting to understand a browser’s cookies’ rules and settings has nothing to do with one’s intelligence. It appears as a mess because it is indeed complicated in that settings inter-react with each other, and not only those of cookies. After years trying to stay up-to-date with the modifications and new settings I still get surprised. IMO there is a general policy among browser developers which is to gather as much user data as possible (telemetry or tracking depending on how you conceive it) but at the same time provide settings which allow a developer to state : “settings are there”. They are, but because they influence each other, because it it would be far more easy to understand if this “backdoor policy” wasn’t a ghost, a basic user faces mysteries which can lead to exasperation : your reaction is understandable and if it may be a relief : you are not the only one. Many users, because they fear exasperation, take things as they come. Once you try to understand the mysterious life of your browser either you need to learn what should be intuitive either you get mad…
Browsers have become a cockpit, especially Firefox. But be it reminded that this being means instruments are available. Which is the least. No instruments (settings) and browser life appears as harmonious as a placid lake (which it is not). Knowledge, insights requires sometimes more than basic and intuitive logic when investigation is the only alternative to get the best and avoid the worst.
From there on if you have a specific point which you don’t understand, go ahead, I’ll try to do my best to bring some light.
Hi Tom,
Thanks for your kind reply.
Let me ask you for advise in the following situation.
1.) I use FFox, latest release. After completing searching I close FF and I want to delete the traces left in the browser. I can do that manually or automatically (clear at closing).
2.) I use Google to search the web. I do not log-in to Google (I have no account). I do not want Google to record my search history (although I am not logged in!) and I want to limit advertisements. For that purpose I enter settings at the site https://www.google.nl/#cns=1
3.) To accomplish above I believe that Google sets a number of cookies in my browser.
4.) I believe that I can easily identify these cookies.
Question:
How can I preserve those specific Google cookies so that they, once set, survive the general cleaning of cookies in FF and that they are available next time I open the FF browser?
Can it be done in FF without using the help of add-ons or extensions?
@Jan,
“Can it be done in FF without using the help of add-ons or extensions?” : yes.
“How can I preserve those specific Google cookies so that they, once set, survive the general cleaning of cookies in FF and that they are available next time I open the FF browser?”
All can be done without extra extensions. Here goes.
It’s all in Firefox / Options / Privacy & Security / Cookies and Site Data
-> Keep until :
– ‘I close Firefox’ means the cookie global policy for cookies is that of ‘session only’ : all cookies by default are wiped when you exit Firefox;
– ‘they expire’ means all cookies by default are kept after FF exit and will remain for the time thay had been set to by the websites
-> Accept third-part cookies and data :
– ‘Always’ or ‘Never’ are self-explicit.
Now, the user’s choices :
-> Keep until : I suggest, to fit into your question, to set to ‘I close Firefox’ : fine, but what about sites, like your Google cookies?
That’s where Firefox gives the user the possibility to create an ‘exception’ for a given site:
Once on the site you wish to keep the cookies, click on the site’s favicon in the urlbar, then click on the right arrow, then click on ‘More Information’ …
OR
anywhere on the page, right-click and on the meny click on ‘View Page Info’ …
OR
in our above mentioned ‘Firefox / Options / Privacy & Security / Cookies and Site Data’ click on ‘exceptions’ and enter the site’s domain (domain only : i.e. https://google.com‘ but ‘https://www.google.com/imghp’ won’t be accepted.
If proceeding from the site’s ‘Page Info’ : click on ‘Permissions’ then find ‘set Cookies’ : what is checked is the global cookie policy we’ve set above. To make an exception for the site you’re visiting : uncheck ‘use default’ and check either one of the two alternatives: if global policy is ‘allow for session’ you may want (your question) to choose ‘Allow’.
Now, what do we have?
A global cookie policy which is to keep cookies for session only;
an exception for the site you’ve chosen, i.e. google.com
This way all cookies are removed when you exit Firefox except those for which you’ve chosen the ‘Allow’ exception.
The idea is : a global default policy followed by per-site exceptions.
I hope I was complete and not excessively. English is not my mother-tongue and I’m not a techie!
Feel free to ask for precisions.
I think that I did not put my answer to Tom as a REPLY. Sorry. Now it should be correct.
==================================================================
Hi Tom
First of all a big “thank you” for your reply, your efforts to explain and to elaborate on your proposed solution. The bad news is that it does not work. Below I go through my doings so you can see for yourself and compare it to your own findings; I presume you tested your solution before you gave it to me. Right?
Here we go with FF60 on W7, FF is installed on the C-Drive.
FIRST PASS
Step # 1
As a first step I clean the FF by
1.) Shut down the Internet connection
1.) Go to HISTORY
2.) Set “Remember” History
3.) Clear All History (all boxes checked) and Time range to clear “Everything”.
Now all “contamination” and “artifacts” in FF are gone
Step # 2
I make the following settings in COOKIES and SITE DATA:
1.) “Your stored cookies, site data and cache are currently using 0 bytes of disk space”. All Data is cleared.
2.) “Accept cookies and Site Data from websites (recommended)” is checked. No exceptions
3.) Keep until “I close FF”
4.) “Accept third-party cookies and site data”: ALWAYS
Step # 3
I power up the Internet connection and my home page shows up https://www.google.nl/
Step # 4
I go back to COOKIES and SITE DATA and I click MANAGE DATA to see what cookies are set.
The site “google.com” has set 1 cookie
The site “google.nl” has set 3 cookies
Step # 5
I disconnect (shut down) the Internet connection
I exit FF
Step # 6
I start FF
There are no cookies. Now I know that the basics are working OK
SECOND PASS
Exactly as the First Pass with the addtion of
Step # 3A as follows
Go to Favicon in the urlbar, then click on the right arrow, then click on ‘More Information’
In PERMISSIONS -> Set Cookies: I uncheck “Use Default” and I check “ALLOW”
In Step # 4 I find the very same cookies.
I do Step # 5
I do Step # 6 Now I see that there are NO COOKIES however I expected that Step # 3A would preserve (save or rescue) those cookies while closing and starting FF.
Using my test approach I must conclude that the proposed solution does not work.
While executing my test procedure it is essential to disconnect the Internet connection as stated to ensure the Google can not set cookies; leaving the Internet connection ON makes the test “nonconclusive” because Google can set these 4 cookies beyond your control.
I look foreward to hearing from you, regards, Jan
Dear Tom
I got the following mail from you:
On 6/16/2018 11:34 AM, gHacks Technology News wrote:
>
> There is a new comment to Configure Firefox to accept third-party cookies for the session only.
>
> Comment Link: https://www.ghacks.net/2018/06/09/configure-firefox-to-accept-third-party-cookies-for-the-session-only/#comment-4382404
>
> Author: Tom Hawack
>
> Comment: @Jan,
>
> – No need to close/reopen your Internet connection
>
> – Look at HISTORY / ‘Clear History when Firefox closes’ : is it checked? I presume it is
> – Open ”Clear History when Firefox closes’ -> Settings
> – Now you have ‘Settings for clearing History’ -> Uncheck ‘Cookies’
>
> That must be the culprit.
======================================================
Let me comment to that as follows:
You write:
No need to close/reopen your Internet connection
My comment:
You do not read what I have said earlier or you do not comprehend
You write:
Look at HISTORY / ‘Clear History when Firefox closes’ : is it checked? I presume it is
My comment
NO. It is NOT checked because it can not be checked (set). There is no such option called “Clear History when FireFox closes” if you have set “Remember History”. If you would have read all the steps in my tests you could have known that!
You write
That must be the culprit.
My comment
It can not be the culprit.
In addition, you OBVIOUSLY have not first checked your proposed solution. But you keep throwing up guesses.
I feel I get nowhere with your suggestions. Let us stop at this point.
Jan
@Jan, it’s not my suggestions, it’s Firefox’s built-in settings which avoid having to go through about:config. All the basics are in Firefox’s Options. I don’t understand what is your problem, i’m afraid there is something you’re doing wrong. I’m not proposing a whatever tweak, I’m only describing the basics of Firefox options regarding your cookies’ problem, or trying to, rather.
By the way, maybe clicking on the Option’s page / ‘Firefox Support’ (down-left) will bring you the help I obviously lacked to explain.
Good luck.
@Jan,
– No need to close/reopen your Internet connection
– Look at HISTORY / ‘Clear History when Firefox closes’ : is it checked? I presume it is
– Open ”Clear History when Firefox closes’ -> Settings
– Now you have ‘Settings for clearing History’ -> Uncheck ‘Cookies’
That must be the culprit.
@Jan, ‘Clear History when Firefox closes’ cleans everything which is checked independently of all other settings, so be sure to :
– Either uncheck ‘Clear History when Firefox closes’ => Nothing cleared on FF exit,
– Either check ‘Clear History when Firefox closes’ then open ‘Settings’ then UNcheck what must NOT be cleared on FF exit -> Uncheck ‘Cookies’ at least regarding our problem
NOW, cookies won’t be cleared when FF exits : OK
NOW, regarding those cookies you want to keep but no others :
Options / Privacy & Security / Cookies and Site Data / Accept cookies and site data from Websites (recommended) : Keep until : Select ‘Until I close Firefox’
This means cookies and site data will be kept for the current session only
After that, you did it correctly above when you set google. com and google. nl as exceptions ‘Always’
We have :
1- ‘Clear History when Firefox closes’ does NOT clear cookies
2- Cookies (and site data) are for session only
3- EXCEPT for google. com and google. nl
All OK now?
Hi Martin,
Talking about cookies, I have this nerve racking problem about supercookies. Whenever, I delete them from the following path:
C:\Users\tedpa_000\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
they will reappear after a while. Is there a way to block them from being installed in the first place?.
You could also uninstall Flash.
Here you go: https://www.ghacks.net/2013/02/01/disable-third-party-flash-cookies-that-track-you-on-the-internet/
Thanks a lot for the provided link to answer my query.
In Pale Moon I manually delete all cookies after every site visit via: Menu Bar> History> Clear Recent History> Time Range to clear: Everything> Clear Now (everything is checked for deletion except Site Preferences). Also, never accept third party cookies and surfing with JavaScript toggled off prevents a lot of cookies from ever being set. This is the simplest, surest way I’ve found to deal with cookies.
I can’t ever imagine allowing third party cookies! Not allowed them in living memory! :)
Nice color.firefox.com you have there Martin, can you give us its link?
Here you go: https://color.firefox.com/?theme=XQAAAALmAAAAAAAAAABBKYhm849SCiazH1KEGccwS-xNVAVd_03vEpPKilaZmJQF4iNoCL46bbnL7mlLNOpbMpdi3VPLE4tgVgC7BALrlxuGvosEULeL4gkUtbomNgeE-dHggzPLCthLJVoPPrc_Ik8xBOMufb790-rCDsNFLUhVwNJRlA3YSsle4pnttoJtA4sQa-3cYEAOmWuUbsweF7jyX_THD6Pru4J1QlCsml_csT3n_6pVwAA
Thank you Martin for this.
When my Firefox ESR ends accepting my old extensions, and I will have to change my browser to the Quantum version, I will try your references. Maybe these will make loosing Self Destructing Cookies a little easier.
I never except third party cookies. If a site requires this, I move to another site.
I don’t allow third parties cookies at all and it’s not that often that I have to temporarily allow them. It’s not convenient and I might don’t think about it if I go to a non-working website, but I prefer my privacy :p
PlusPrivacy add-on for FireFox released!
PlusPrivacy is an open-source personal online privacy service, developed with financial support of the EU and intended for public good. Initially released for Chrome, Android and iOS and announced here on privacytoolsio subreddit.
We are now happy to announce the release of PlusPrivacy FireFox add-on – search for “PlusPrivacy” at https://addons.mozilla.org/en-US/firefox/.
For Firefox https://addons.mozilla.org/en-US/firefox/addon/plusprivacy/
For Chrome https://chrome.google.com/webstore/detail/plus-privacy/boagbmhcbemflaclmnbeebgbfhbegekc
Key features:
[1] Comprehensive personal privacy dashboard
[2] Single-click configuration of optimal privacy settings in your Google, Facebook, Twitter and
LinkedIn accounts (can be tweaked to reflect personal preferences).
[3] Presentation and single-click cleanup based on privacy intrusiveness of browser add-ons and
web apps connected to your Google, Facebook, Twitter, LinkedIn and DropBox accounts.
[4] Email identity management/anonymous bi-directional remailing, allowing you to hide your real
email address from the websites and online services to which you register, and have a
practically unlimited number of private email identities.
[5] Fully anonymous operation (no registration on PlusPrivacy servers) except if you want to use
email identity management (the servers need to know your real email address in this case).
[6] Should work 100% in Tor browser but we are still testing this.
[7] In the FireFox version we removed the built-in ad blocker – you can now use with your favorite
ad blocker.
[8] The current service tier is free and will remain free. Opt-in paid tier allowing controlled consent
to use of data in exchange for an economic benefit may be released in the future.
website: https://plusprivacy.com/
blog (contains detailed articles about features): https://plusprivacy.com/blog/
privacy policy: https://plusprivacy.com/privacy-policy/
source: https://github.com/OPERANDOH2020/PlusPrivacy
This is a beta version but seems to be pretty stable. Your feedback and help in testing this version will be appreciated!
PlusPrivacy team
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (GA no. 653704).
https://www.reddit.com/r/privacytoolsIO/comments/8prf6p/plusprivacy_addon_for_firefox_released/
Great article again, Martin. Thanks for that!
I am wondering when I make use of the Firefox’s Forget Me Not cookies extension and have set the option “Clean when leaving all instances of a domain:” (also I have set to do “clean when leaving the settings Local Storage (Firefox 58+)” and also “clean on browser start” ) can or do I still have to configure inside Firefox with about:config the option clean third-party cookies automatically on browser exit like you described it here above in your article?
This setting is of course most valuable for users who accept 3rd-party cookies, but I linger to understand why they’d ever be.
Default cookie policy for Firefox is to accept all cookies:
user_pref(“network.cookie.cookieBehavior”, 0);
With 0=allow all, 1=allow same host, 2=disallow all, 3=allow 3rd party if it already set a cookie
Of course I consider 1=allow same host as the best value which, IMO, should be Firefox’s default.
Personally I never allow 3rd-party cookies and sites requiring it get forgotten.
Yet,
– on one hand, as mentioned in the article, “Third-party cookies are still widely used on today’s Internet to track users across browsing sessions and sites they visit.”,
– on the other hand, third-party cookies are not blocked by default on Firefox…
Odd equation. Firefox must have its reasons. Anyone who’s briefed to resolve it please share your initiation : thanks!
—
Another important cookie setting is of course its lifetime:
// cookie lifetime policy — 0=until they expire (default), 2=until you close Firefox, 3=for n days (see “network.cookie.lifetime.days”)
user_pref(“network.cookie.lifetimePolicy”, 2); // I set it to 2
// set cookie lifetime in days (see above pref) – default is 90 days
user_pref(“network.cookie.lifetime.days”, 999); // I set it to 999 should I ever use it
Now, at least with Firefox 60, setting “network.cookie.lifetimePolicy” to 2, if it does it mean indeed that cookies will be removed on Firefox exit, does also imply that the user’s LocalStorage (webappstore.sqlite) will remain untouched : many sites, unless their cookies are blocked or set to ‘session only’ use the LocalStorage as another storage solution.
Keep “network.cookie.lifetimePolicy” set to 2 (cookies by default are ‘session only’) and set sites’ cookie permission to ‘Allow’ for the sites’ cookies you wish to allow is the best basic cookie policy, IMO.
From there on cookie management can be greatly facilitated with extensions such as ‘Forget Me Not’ or ‘Cookies Autodelete’ … after thorough comparisons I opt for the first, personally.
Much more to say concerning cookies. I’ve already wrote too much.
Thanks Martin for reminding this essential cookie setting for those who don’t block 3rd-party cookies.
Very useful comment, thank you. As far as I remember in the past there it was possible to set cookie lifetime in privacy settings (no need to go deep into about:config).
I have no idea why Mozilla removed it. Privacy company? Not very much. And it’s sad.
What’s the reason of talking about superprivate mode in Firefox (plans to built in TOR) if so basic settings as cookie management are stripped.
@duri,
“As far as I remember in the past there it was possible to set cookie lifetime in privacy settings”
That triggers something in my memory, but that was a long time ago …
“I have no idea why Mozilla removed it. Privacy company? Not very much. And it’s sad.”
Explanations about Mozilla removing options (either in the Options either in about:config, the latter being of course definitive) are of three types,
1- Lack of users (well, as of the gathered telemetry data) using a given option;
2- Option is either obsolete either incompatible with latest versions,
3- In the eternal war between ethics and profit, the pro-profit lobby won a battle.
I truly believe (3) is seldom the reason, but I may be mistaking of course.
I am confused when I notice pro-user functions, settings availability, default settings together with not-at-all-pro-user elements, either as such (gadget oriented system add-ons which hurt privacy more than they bring true improvements/innovations) either as opt-out settings which should be opt-in. What I perceive as a blend of the worst and the best stuns me day by day.