Closed Bug 597234 Opened 12 years ago Closed 6 years ago

Always accept already expired cookies

Categories

(Core :: Networking: Cookies, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: hcg, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; da-DK; rv:1.9.0.19) Gecko/2010090807 Iceweasel/3.0.6 (Debian-3.0.6-3)
Build Identifier: 

When logging out from sites using cookies, the site often sets the cookies with expiry in 1970 (or some other date in the past). When Firefox is set to always ask about accepting cookies, I get a series of questions, to which the (IMHO) only reasonable choice is to accept the cookie.

I can't imagine any reasons not to accept an already expired cookie, so I would suggest accepting them automatically, or at least have an option to do so.

Reproducible: Always

Steps to Reproduce:
N/A to enhancements.
Actual Results:  
N/A to enhancements.

Expected Results:  
N/A to enhancements.
I believe this is already the behavior - at least in v3.6.13.  For example, I was running some tests against a development VM's LA(M)P setup - it's not set to sync its clock with the host, so it was sending a cookie expiry time that was a week from its own clock, but 3 weeks past in the real world.
This drove me batty because Chrome and Safari both rejected the cookie outright, which Firefox silently accepted and set the cookie (perform a successful login in the case of this code).  Only after tracing the source to the PHP setcookie() function and using LiveHeaders to look at the content did I realize what was happening.

I actually can't think of a reason to accept cookies that are already expired.  Shouldn't those sites be deleting the cookie(s) and associated data items instead of rigging the expiry date to terminate a login?  I found this bug while looking to see if there was already a report for what I thought was the accept-expired-cookie bug.  Rather than just file a counter-bug, I figured it would be best to discuss in this one.
It isn't standard behaviour in the (admittedly old) version I use, if it is in newer versions, just close this bug.

> I actually can't think of a reason to accept cookies that are already expired.

You don't like to be able to log out from sites?

> Shouldn't those sites be deleting the cookie(s) 

How do you suggest they do that? Changing expiry of the existing cookie is the only pure HTTP way. It might be possible to do with some javascript (or similar), but that would fail if the user had disabled javascript, and generally be much more complicated.
Perhaps the difference in the two issues we're explaining is that I'm talking about accepting brand new cookies rather than changing the expiry date associated with existing cookies.

I still maintain that it's nonsensical to accept a brand new cookie which has an expiry date that's already passed.  Triggering the client-side cookie removal mechanism by changing the expiry date to one in the past seems to be common practice, I admit.

I have not tested the specific case you describe, but I've never had a problem triggering deletion of existing cookies using the method you describe.  However, I have confirmed that Firefox will indeed accept new cookies which have already expired, while two other mainstream browsers do not.  This behavior seems unintended at minimum, and I still cannot think of a reason to do so (again, speaking about NEW cookie items).

If, as I suspect, we're discussing two different issues, then perhaps a different bug report is warranted.  I was unsure of this based on your description, and figured discussion would clear it up.
You're right, accepting brand new cookies that are already expired makes no sense.

But I suspect firefox doesn't really do the distinction between brand new and existing cookies, if it did, I probably wouldn't have had to file https://bugzilla.mozilla.org/show_bug.cgi?id=578764 solving that would actually pretty much make my issue in this bug irrelevant, I just reported this because it seemed so much easier.

We clearly are discussing two different issues, unfortunately I can't see how to change the title of this bug, so if you do create another bug, the title of this one will still be around to confuse people.
No worries - I'll try to be as distinct as possible, and add cross-links in the comments to deconflict symptoms.

Thanks for helping to clarify!
(In reply to hcg from comment #2)
> It isn't standard behaviour in the (admittedly old) version I use, if it is
> in newer versions, just close this bug.
> 
> > I actually can't think of a reason to accept cookies that are already expired.
> 
> You don't like to be able to log out from sites?
> 
I don't see firefox needs to cover "bugs" from these sites, be it intentional or not.

Released in April 2011, rfc 6265 requires "The user agent MUST evict all expired cookies from the cookie store if, at any time, an expired cookie exists in the cookie store."
See page 23 at <http://tools.ietf.org/html/rfc6265#page-23>

Respecting the privacy setting (keep until expired/ff close/ask every time) is also important.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.