Closed Bug 1344090 Opened 9 years ago Closed 7 years ago

Firefox's cookie limitations does not allow to store 150 cookies per-domain , but only for the root domain, it is confusing.

Categories

(Core :: Networking: Cookies, defect, P3)

Product:
Core
Component:
Networking: Cookies
Version:
50 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: xjliang2007, Assigned: kershaw)

References

Details

(Whiteboard: [necko-backlog])

Attachments

(1 file)

cookies after evicted for domain=reg.taobao.com
32.59 KB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: 1. We clear all the cookies that stored by firefox, then visit page = https://reg.taobao.com/member/reg/fill_mobile.htm 2. Using js script to write 150 cookies(domain=reg.taobao.com) in the console of firefox. The js script as follows: function setCookie(name,value) { var Days = 30; var exp = new Date(); exp.setTime(exp.getTime() + Days*24*60*60*1000); document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString()+";Domain=reg.taobao.com" } for(var i=1;i < 151;i++){ setCookie("name"+i,"value"+1); } 3. check the cookies stored in firefox, found it is ok with 150 cookies in domain of reg.taobao.com 4. visit page = https://login.taobao.com/member/login.jhtml , then check cookies , found that some cookies(belong to domain=reg.taobao.com) were evicted,but those cookies have different domain with the later ones. Actual results: the cookies of domain=reg.taobao.com were evicted by the cookies of domain=login.taobao.com or domain=.taobao.com Expected results: all cookies should be kept for domain=reg.taobao.com, because their domain is different from later ones
I did my test on firefox version of 50.0 , but this case also happened for 51.0
Component: Untriaged → Networking: Cookies
Flags: needinfo?(xjliang2007)
Product: Firefox → Core
Hi, YF what is the meaning of your reply? I can not understand it. By the way, did your repeat my test case?
I see the limit via http://browsercookielimits.squawky.net/. But I don't know whether it is a issue, waiting for someone else to triage.
Hi, YF Did you know someone who work in firefox? Maybe I can ask him for help about this case, haha.
Any thinking?
Flags: needinfo?(mcmanus)
Flags: needinfo?(mcmanus) → needinfo?(amchung)
Whiteboard: [necko-backlog]
I will take a look at this bug.
Flags: needinfo?(amchung)
Assignee: nobody → amchung
(In reply to Amy Chung [:Amy] from comment #8) > I will take a look at this bug. Thanks for your reply , I hope I describe the issue clearly, it makes me confusing, if it is not a bug, then what's wrong with my test case, really need your explanation , haha.
We are also seeing similar issue with Firefox 52.0 32 bit version. Our application is not able to set cookie after cookie count for domain including subdomain reaches to 150, however this behavior is not consistent. Some domain set-cookie requests are able to evict old cookie and set new cookie but some domains set-cookie instruction is completed ignored. Is there any algorithm to decide when old cookies will be evicted to make room for new cookie or any new flag has to be added to inforce to set cookie is every case. One pattern is observed if there is 150 persistent cookie for domain including sub domain those can't be replaced by non-persistent set-cookie request. Those cookies are only replaced by persistent [with max-age] set-cookie request. Can we get firefox developer attention on this. This is causing lot of trouble organization wide SSO login.
we are not seeing above behavior in FF 49. In FF 49.0, cookie is getting replaced by any call irrespective of persistent nature e.g. desired cookie is being set and evicted older cookie.
If I understand correctly(based on bug 1264192 comment 104), Chrome's 180 cookie limitation is also sub-domain based. Doesn't this kind of issue also happen in Chrome browser when cookie number reaches limitation?
Flags: needinfo?(xjliang2007)
Flags: needinfo?(ankitmittal14)
> If I understand correctly(based on bug 1264192 comment 104), Chrome's 180 > cookie limitation is also sub-domain based. To be clear, what I mean here is per-base-domain(i.e. counting google.com and all of its subdomains).
In Chrome, even if we set 180 secure domain cookies, it got replaced by subsequent set-session cookie request that is not happening in Firefox.
Flags: needinfo?(ankitmittal14)
Ideal behavior could be "not to replace secure cookies" but increase allowed cookie count to next level say 200. Other way to handle it consider every sub-domain as separate domain in cookie count logic.
Hi Josh, I had written a testing webpage to verify the difference between Chrome and Firefox when the number of cookies per host to the maximum, and the result as below: [Chrome] 1. Maximum of the cookies per host:180 2. Deleting algorithm 1. If this cookie is expired 1. Delete this cookie 2. Otherwise, if this cookie doesn’t set secure flag and isn’t a session cookie 1. Delete this cookie 3. Otherwise, if this cookie is a session cookie. 1. Delete this cookie 4. Delete secure cookie 3. If the number of cookies to the limitation, and user set a cookie on same base domain. 1. Chrome will remove 30 cookies and let the number of cookie reduce to 150. [Firefox] 1. Maximum of the cookies per host:180 2. Deleting algorithm 1. If this cookie is expired 1. Delete this cookie 2. Otherwise, if this cookie doesn’t set secure flag and !DomanMatch() and !PathMatch() 1. Delete this cookie 3. Delete the oldest cookie 3. If the number of cookies to the limitation, and user set a cookie on same base domain. 1. Firefox will remove one cookie. Would you give me your suggestion that we could avoid the similar bugs? In my view, maybe we could modify the maximum and the number of deleting the cookies which are candidates. Thanks!
Flags: needinfo?(josh)
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Hi Jason, Base on Comment 16, I think we could modify the maximum and the number of deleting the cookies which are candidates. Would you give me your suggestions? Thanks!
Flags: needinfo?(jduell.mcbugs)
As mentioned in an email thread, I think we should: * increase the limit to 180 before we start evicting cookies * implement batch eviction that brings us down to 150 again when we evict cookies * remove our eviction heuristics that rely on path and domain checks
Flags: needinfo?(josh)
Flags: needinfo?(xjliang2007)
Assignee: amchung → hurley
Flags: needinfo?(jduell.mcbugs)
Assignee: hurley → kershaw
I'm unclear on whether there's still work in this bug, or whether we fixed everything in bug 357676. Is there still work here, and if so, what?
Flags: needinfo?(kershaw)
That last comment got the bug number wrong--it's bug 1357676 :)
Flags: needinfo?(josh)
(In reply to Jason Duell [:jduell] (needinfo me) from comment #21) > I'm unclear on whether there's still work in this bug, or whether we fixed > everything in bug 357676. Is there still work here, and if so, what? We did all the work in bug 1357676 based on comment #20. So, I think we can close this bug.
Flags: needinfo?(kershaw)
Agreed.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(josh)
Resolution: --- → FIXED
See Also: → 1993520
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: