Keep cookies/logins [solved: add Cookie + Site Data Exceptions]

[IceDBorn]

Is there a way to keep cookies on V94? On previous versions I changed user_pref("privacy.clearOnShutdown.cookies", true) to false and I could keep cookies for specific sites using CookieAutoDelete. As of V94, this setting is false by default and I can't seem to find a way to keep cookies for specific sites.

[Thorin-Oakenpants]

all cookies are session only now: so you need to add exceptions for those sites you want: e.g. to auto-login

you add them to exceptions in Cookies + Site Data, as Allow

user.js/user.js

Lines 868 to 875 in 4b393b9

	/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/
	/* 2801: delete cookies and site data on exit
	* 0=keep until they expire (default), 2=keep until you close Firefox
	* [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
	* [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow
	* If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com
	* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
	user_pref("network.cookie.lifetimePolicy", 2);

[Thorin-Oakenpants]

unless you want to keep ALL cookies, this is way better for sanitizing (so you're not re-IDed in subsequent sessions by state tracking)

if you do want to keep ALL cookies, just flip the lifetimePolicy pref to 0

[IceDBorn]

I already tried adding sites to the allow list but it still deletes them.

[IceDBorn]

[rusty-snake]

If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com

[Thorin-Oakenpants]

#1223 (comment)

[Thorin-Oakenpants]

in arkenfox v96 we're going to be switching from FPI to dFPI, so you might as well keep the existing ones to save doing them again (dFPI can't use the FPI syntax - yet, and certainly not in v96)

or

• it's simple to edit them in the sqlite file (while FF is closed)
• or switch to dFPI now (override recipe)
• or change the lifetime pref to 0 until we reach v96

[IceDBorn]

Thanks a lot!

[Thorin-Oakenpants]

see #1281

[theltalpha]

Hallo! Sorry if this has been asked elsewhere: Are the site data exceptions set via the Firefox UI something that would be affected by user_pref("privacy.clearOnShutdown.siteSettings", true); or are they kept regardless of this setting?

[rusty-snake]

backup and test ;)

siteSettings = permissions¹, content preferences (zoom, ...?), dom push notifications, security settings (hsts, ...?), cert exceptions

¹ "site exceptions" are permissions

[theltalpha]

backup and test ;)

True! Just am not able at the moment and was impatient to learn. ;-) So thanks for the clarification!

Oh, and by the way:

(hsts, ...?)

Thist is the reason why I have presently set the mentioned userPref to true, because it clears HSTS upon shutdown.

[rusty-snake]

HSTS is stored in SiteSecurityServiceState.txt so you could sanitize it with an shell-script.

Why do you want to clear HSTS?

[Thorin-Oakenpants]

HSTS is isolated by first party with FPI
HSTS is isolated with network partitioning (if you're not using FPI)

What are you trying to achieve by clearing HSTS?

[theltalpha]

Hi! Thank you for the clarification. Clearing HSTS is based on these considerations: How to prevent HSTS tracking in Firefox and solution 2. presented therein. But the article is from 2015, and I never investigated if in the meantime more appropriate solutions could be applied (which seems the case through FPI, if I understand Thorin-Oakenpants correctly).

[rusty-snake]

If you use https_only_mode (default in the arkenfox user.hs), the HSTS tracking described in https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/ is limited to sites where you added an exception (i.e. site you load via http). All other sites will get a white id.

[Thorin-Oakenpants]

^^ I was just about to post that.

There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier.

FPI/dFPI removes the cross-domain aspect. And most sites are already HTTPS... and I didn't get as far as looking into HTTPS-only mode and what all of that means