Closed
Bug 711596
Opened 13 years ago
Closed 8 years ago
Session cookies are unaffected by network.cookie.lifetime.days
Categories
(Core :: Networking: Cookies, defect)
Core
Networking: Cookies
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bugzilla-graveyard, Assigned: amchung)
Details
(Whiteboard: [necko-next])
Attachments
(1 file, 1 obsolete file)
128.81 KB,
image/jpeg
|
Details |
Filed using a recent Camino nightly (Gecko 1.9.2 branch, Mac OS X 10.6), but I pretty much guarantee this bug still exists in current code and across all OS versions. It appears that our cookies code isn't respecting network.cookie.lifetime.days for cookies designated by the server as session cookies. Because people who use this pref are likely to be using it for privacy purposes (as I am), and because not everyone quits their browser on a daily basis (I often have two-week sessions), IMO we should be conservative from a user standpoint and delete designated session cookies after N days if the session has not yet ended. STR: 1) Set network.cookie.lifetimePolicy to 3. 2) Set network.cookie.lifetime.days to 1. 3) Visit several Web sites that set a variety of cookies. 4) Stop visiting Web sites. 5) Go at least one whole day without quitting the browser so that you reach the cookie lifetime limit. ER: No cookies should still exist. AR: A bunch of cookies exist that were originally designated as session-only.
Reporter | ||
Comment 1•13 years ago
|
||
bz: Can you shed any light on this? It seems the cookies code has been largely disowned and Shawn suggested you might be able to help out here.
Still present, confirming
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Version: unspecified → Trunk
Updated•9 years ago
|
Whiteboard: [necko-backlog]
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → amchung
Flags: needinfo?(amchung)
Whiteboard: [necko-backlog] → [necko-active]
Comment 4•8 years ago
|
||
From my limited knowledge of the cookie code I'm guessing we want to implement this lazily--i.e. when we're about to return a cookie, we check if this pref is set and the cookie should be deleted. That seems better and more efficient (and less code) than writing some sort of daily search through the cookie database. But I could be wrong :)
Assignee | ||
Updated•8 years ago
|
Whiteboard: [necko-active] → [necko-next]
Assignee | ||
Comment 5•8 years ago
|
||
Hi Phoenix, I found I can't reproduce this bug, and my steps of reproducing as below: 1. Set network.cookie.lifetimePolicy to 3 and set network.cookie.lifetime.days to 1. 2. Enter http://www.facebook.com 3. Login to my facebook 4. Confirmed the session cookies for recording login info that existed in DB. 5. Changed the local time after two days ago. 6. Reloaded http://www.facebook.com 7. The session cookies of login info didn't exist in DB. Please confirm my steps of reproducing this bug, thanks!
Flags: needinfo?(pppx)
Hi Amy, This step: "6. Reloaded http://www.facebook.com" will reinstall cookies from that site, I've just visited some another site to see, that other cookies are gone. And there is no need in "3. Login to my facebook" step, visiting site is just enough. I've checked that bug is still exists on current nightly with original steps (I've just left browser open for a day), see attached screenshot
Flags: needinfo?(pppx)
Attachment #8792280 -
Attachment is obsolete: true
Assignee | ||
Comment 8•8 years ago
|
||
https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3505 In nsCookieService::AddInternal(), it confirms the expired cookie will be delete. https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3382 In nsCookieService::SetCookieInternal(), it calls nsICookiePermission::CanSetCookie() to set the expire time of the cookie that will be set. https://dxr.mozilla.org/mozilla-central/source/extensions/cookie/nsCookiePermission.cpp#173 And in nsICookiePermission::CanSetCookie(), it confirms network.cookie.lifetime.days when setting the expire time of the cookie that will be set.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
It is nice to hear that code is present, but can you please explain the screenshot above?
Flags: needinfo?(amchung)
Comment 10•8 years ago
|
||
https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/nsCookieService.cpp#3179 is pretty key here, as that block means that we won't send that cookie to the server for a given URI. It may not have been purged (we lazily purge expired entries for perf reasons), but it should absolutely not show up in a request to the site. The original bug is probably WFM. What Phoenix is seeing is that the cookie manager loads cookies without checking if they're expired.
Assignee | ||
Comment 11•8 years ago
|
||
Hi Phoenix, Because the expire cookie will be delete when calling nsCookieService::AddInternal(), and this event occurs on reloading website. If want to fix the screenshot, it needs to add a timer for triggering to remove expiry cookie.
Flags: needinfo?(amchung)
You need to log in
before you can comment on or make changes to this bug.
Description
•