Skip to main content
D
davelaws
Participating Frequently
December 25, 2008
Question

cookies and firefox

  • December 25, 2008
  • 6 replies
  • 1025 views
Ive been trying to find out why when i create a cookie firefox does not kill my cookie when i close my browser (im using FF v 3.0.5).

In theory if one does not set the expiry param in cfcookie tag the cookie should expire once i close my browser. This seems the case on many browsers except Firefox. I realise FF has an option which one is supposed to check so "private" data is cleared when browser is closed, but this is not a default settings. Regardless to that in FF settings > Privacy > cookie panel I have the setting checked on, “accept cookies from sites”, “accept third-party cookies” and “keep until they expire”. This tells me my cookie will die when they need to depending on the settings they have been given, but this never happens.

In my mind this leaves a security issue, if one does not change their default "clear my private data" setting and does not logout from a site properly, it will leaves their account open for any other person who goes to the same site.

For example, this site and many others sites, I didn’t check “remember me” option when I logged in however, if I close my FF browser (but not logout) and reopen it, I’m already logged in!

Id appreciate any help in regards to how I can get the same behaviour to work on FF without depending on one changing their browser settings.
    This topic has been closed for replies.

    6 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    December 28, 2008
    @Davelaws
    What’s the reason with adding the period at the start of mysite.com?

    The documentation on cfcookie says so. I suppose it has to do with how Coldfusion extracts the domain name from subdomains like warehouse.mysite.com, accounts.mysite.com, personnel.mysite.com, and so on.

    Here's something else you might wish to know. I saved the following version of your code as firefoxCookieTest.cfm.

    <cfif isDefined("COOKIE.cookieIsLive")>
    <cfoutput>COOKIE.cookieIsLive=#COOKIE.cookieIsLive#</cfoutput>
    <cfelse>
    COOKIE.cookieIsLive=NOT DEFINED
    </cfif>
    <cfcookie value="#now()#" name="cookieIsLive">

    Open the page for the first time in Firefox 3.0.5, and you will get:
    COOKIE.cookieIsLive=NOT DEFINED

    Refresh the page, and you will get something like:
    COOKIE.cookieIsLive={ts '2008-12-27 04:59:53'}

    Then close and re-open Firefox. When you run the page, you will get: COOKIE.cookieIsLive=NOT DEFINED as before.

    With the page still open, follow the menu Tools => Options => Privacy(tab) => Show Cookies(button). Locate the domain from the list of sites. Click on the + symbol to expand. You will see that the cookie file is still there, even though Coldfusion doesn't currently have the cookie in memory.




    S
    stephen_irwin
    Participant
    February 19, 2010

    Great info thanks a lot, use firefox and found this very annoying!

    D
    davelawsAuthor
    Participating Frequently
    December 28, 2008
    Adam:
    IE behaves as it should, once the browser is closed, one would return to a page where the following is displayed IE6/7.

    COOKIE.cookieIsLive=NOT DEFINED

    Kapitaine
    Not everyone has the same settings as you or me for that matter. I don’t get promoted to save or quit anything it just closes the browser and any other tabs.

    I tested this again today using facebook and based on the scenario I mentioned at the top. Same result, I would agree with you if it were a cached/static page however, when I click on any of the links it does not redirect me to login page and im able to use the site. Even on opening the browser and seeing the facebook site (already logged in), I go to Google and then I type in facebook.com again and im still logged in. This proves its not a static page im looking at.

    I do delete the cookies when one clicks on the “logout” link but not everyone does that!

    BKBK:
    What’s the reason with adding the period at the start of mysite.com?


    Thank you all for your replies.
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    December 27, 2008
    Ive been trying to find out why when i create a cookie firefox does not kill my cookie when i close my browser (im using FF v 3.0.5).

    You're right in expecting the cookie to be undefined when you close the browser. That is what Coldfusion should do, because your cfcookie tag has no expires attribute. That makes it a session-only cookie

    However, there are two things you should know. First, the value of the domain attribute must begin with a period, thus ".mysite.com". Secondly, the old cookie file may still be on the client's machine when you close, then re-open, the browser. But the cookie will no longer be in Coldfusion's memory. That is what matters. You should observe that behaviour when you close, then re-open the browser. You should then see the text, COOKIE.cookieIsLive=NOT DEFINED.




    K
    Kronin555
    Participating Frequently
    December 27, 2008
    quote:
    the old cookie file may still be on the client's machine when you close, then re-open, the browser. But the cookie will no longer be in Coldfusion's memory.


    Coldfusion has no way to know that you closed and reopened the browser, especially if the reopened browser is still sending the same cookie. The only way your statement would be true is if you reopened your browser after the session-timeout has expired. Then and only then will Coldfusion delete that session/cookie from memory. However, if you closed and reopened the browser within the session-timeout, and your reopened browser sends the same session cookie, Coldfusion will happily include that browser conversation in the session it started with the browser pre-close.

    Edit: you can probably ignore all of this, I'm thinking sessions, not cookies. Sorry.
    A
    Anonymous
    December 26, 2008
    I think you might be mistaken.

    When I close Firefox, it asks me if I want to quit, cancel, or save and quit. Usually I choose save and quit. The next time I open the browser, the pages I left there are all displayed as I expected. However, if I then try and click on a link (say, on a site open that I would need to log in to - like Facebook), the page would actually reload and redirect me to the appropriate place. It almost seems like FF doesn't actually keep you logged in, but rather takes a static snap shot of the site you were previously on.

    On another note, if this is an issue, can you not just delete the session cookies on logout?
    N
    Newsgroup_User
    Inspiring
    December 25, 2008
    > after doing more test, i found the above only happens if you have the setting
    > of what page to start up on opening of browser to "show my windows and tabs
    > from last time". Still a problems, id appreciate any ideas to combat this.

    Well I think, then, that this is expected behaviour. Firefox is preserving
    the user's browser state between browser sessions: it's the wy Fireofx
    wants it to work.

    Inconvenient for you though this is, it should be up to the user how they
    wish this to work. Your solution is to not consider "the browser
    applicaton being closed down" as "the browser session being terminated",
    because - as far as Firefox goes - those are two separate concepts.

    Does IE have similar functionality? What does it do with its cookies in
    these situations?

    --
    Adam
    D
    davelawsAuthor
    Participating Frequently
    December 25, 2008
    after doing more test, i found the above only happens if you have the setting of what page to start up on opening of browser to "show my windows and tabs from last time". Still a problems, id appreciate any ideas to combat this.
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices