Closed Bug 711596 Opened 13 years ago Closed 8 years ago

Session cookies are unaffected by network.cookie.lifetime.days

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bugzilla-graveyard, Assigned: amchung)

Details

(Whiteboard: [necko-next])

Attachments

(1 file, 1 obsolete file)

Issue screenshot
128.81 KB, image/jpeg
Details 
Filed using a recent Camino nightly (Gecko 1.9.2 branch, Mac OS X 10.6), but I pretty much guarantee this bug still exists in current code and across all OS versions.


It appears that our cookies code isn't respecting network.cookie.lifetime.days for cookies designated by the server as session cookies.

Because people who use this pref are likely to be using it for privacy purposes (as I am), and because not everyone quits their browser on a daily basis (I often have two-week sessions), IMO we should be conservative from a user standpoint and delete designated session cookies after N days if the session has not yet ended.

STR:

1) Set network.cookie.lifetimePolicy to 3.
2) Set network.cookie.lifetime.days to 1.
3) Visit several Web sites that set a variety of cookies.
4) Stop visiting Web sites.
5) Go at least one whole day without quitting the browser so that you reach the cookie lifetime limit.

ER: No cookies should still exist.

AR: A bunch of cookies exist that were originally designated as session-only.
bz: Can you shed any light on this? It seems the cookies code has been largely disowned and Shawn suggested you might be able to help out here.
Still present, confirming
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Version: unspecified → Trunk
Whiteboard: [necko-backlog]
Amy, would you like to check this bug?
Flags: needinfo?(amchung)
Assignee: nobody → amchung
Flags: needinfo?(amchung)
Whiteboard: [necko-backlog] → [necko-active]
From my limited knowledge of the cookie code I'm guessing we want to implement this lazily--i.e. when we're about to return a cookie, we check if this pref is set and the cookie should be deleted.  That seems better and more efficient (and less code) than writing some sort of daily search through the cookie database.

But I could be wrong :)
Whiteboard: [necko-active] → [necko-next]
Hi Phoenix,
I found I can't reproduce this bug, and my steps of reproducing as below:
1. Set network.cookie.lifetimePolicy to 3 and set network.cookie.lifetime.days to 1.
2. Enter http://www.facebook.com
3. Login to my facebook
4. Confirmed the session cookies for recording login info that existed in DB.
5. Changed the local time after two days ago.
6. Reloaded http://www.facebook.com
7. The session cookies of login info didn't exist in DB.

Please confirm my steps of reproducing this bug, thanks!
Flags: needinfo?(pppx)
Attached image Issue screenshot (obsolete) — 
Hi Amy,

This step: "6. Reloaded http://www.facebook.com" will reinstall cookies from that site, I've just visited some another site to see, that other cookies are gone. And there is no need in "3. Login to my facebook" step, visiting site is just enough.
I've checked that bug is still exists on current nightly with original steps (I've just left browser open for a day), see attached screenshot
Flags: needinfo?(pppx)
Attached image Issue screenshot 

        Attachment #8792280 -
        Attachment is obsolete: true

    
    

    
  
https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3505
In nsCookieService::AddInternal(), it confirms the expired cookie will be delete.

https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3382
In nsCookieService::SetCookieInternal(), it calls nsICookiePermission::CanSetCookie() to set the expire time of the cookie that will be set.

https://dxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#173
And in nsICookiePermission::CanSetCookie(), it confirms network.cookie.lifetime.days when setting the expire time of the cookie that will be set.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME

    
    

    
  
It is nice to hear that code is present, but can you please explain the screenshot above?
Flags: needinfo?(amchung)

    
    

    
  
https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3179 is pretty key here, as that block means that we won't send that cookie to the server for a given URI.  It may not have been purged (we lazily purge expired entries for perf reasons), but it should absolutely not show up in a request to the site.

The original bug is probably WFM.  What Phoenix is seeing is that the cookie manager loads cookies without checking if they're expired.

    
    

    
  
Hi Phoenix,
Because the expire cookie will be delete when calling nsCookieService::AddInternal(),
and this event occurs on reloading website.
If want to fix the screenshot, it needs to add a timer for triggering to remove expiry cookie.
Flags: needinfo?(amchung)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: