Open Bug 1638296 Opened 4 years ago Updated 4 years ago

cookie expiration development tools

Categories

(DevTools :: Storage Inspector, enhancement, P3)

Product:
DevTools
Component:
Storage Inspector
Version:
76 Branch
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: mozilla.org, Unassigned)

References

(Blocks 2 open bugs)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

  1. Set Firefox to "Delete cookies and site data when Firefox is closed" under Preferences > Privacy & Security > Cookies and Site Data

  2. Use website code to place a cookie that expires in 1 hour

  3. Open the Developer Tools (F12)

  4. Go to the "Storage" tab

  5. Click "Cookies in the left side panel

  6. Click on the website domain

Actual results:

8a. View the column "Expires / Max-Age" and notice that is says "Session"
8b. When selecting the cookie, in the right side panel, it also states "Session".

Expected results:

It is not possible to guess how long a user will use Firefox, aka, how long the browser-session will be. This can be 1 hour or 1 year theoretically.

As a developer it is confusing not to be able to see when a cookie expires exactly though, when Firefox is set to delete cookies after the browser-session.

What I suggest is to show the following in the column "Expires / Max-Age":

  1. For a cookie that has no set expiration:
    1a) "Until cleared" if Firefox does not clean cookies after closing. Because then it will only be gone when the user clears the cache manually.
    1b) "Browser session", for when Firefox is set to clear cookies after each browser session. (notice 'Browser session' to not confuse developers with it having something to do with the server session)

  2. For a cookie that has an expiration
    2a) "<date time>" when Firefox does not clean cookies after closing.
    2b) "<date time> or when browser session ends" for when Firefox is set to clear cookies after each browser session.

This would allow a developer to still be able to check what the expiration date and time of a cookie is, even if Firefox is set to delete cookies at the end of the browser-session.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core

So according to: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies

Session cookies

The cookie created above is a session cookie: it is deleted when the client shuts down, because it didn't specify an Expires or Max-Age directive. However, web browsers may use session restoring, which makes most session cookies permanent, as if the browser was never closed.

I don't know if the labels are really that confusing, but this is ultimately a devtools decision.

Component: Networking: Cookies → Storage Inspector
Product: Core → DevTools

(In reply to Valentin Gosu [:valentin] (he/him) from comment #2)

So according to: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Creating_cookies

Session cookies

The cookie created above is a session cookie: it is deleted when the client shuts down, because it didn't specify an Expires or Max-Age directive. However, web browsers may use session restoring, which makes most session cookies permanent, as if the browser was never closed.

I don't know if the labels are really that confusing, but this is ultimately a devtools decision.

Just to clarify, I do suggest to set a expiration for the cookie (1 hour for example) in step 2 of the steps to reproduce. Like so:

my_cookie_name=123ab; expires=Mon, 18-May-2020 09:26:27 GMT; Max-Age=3600; path=/; secure; HttpOnly

This ticket is not about cookies not having an expiration set.

So you mean we should mark them as being session cookies if you have the browser set to clear cookies at shutdown?

(In reply to Valentin Gosu [:valentin] (he/him) from comment #4)

So you mean we should mark them as being session cookies if you have the browser set to clear cookies at shutdown?

The other way around actually.

Now, cookies with an expiration date and time always and only display "Session" in the "Expires / Max-Age" column, when the browser is set to clear cookies at shutdown.

What would help developers (debugging) is to be able to see when the cookie expires exactly (date and time). Even when the browser is set to clear cookies at the end. So instead of just "Session" it could be described as "<date time> or when browser session ends" to cover both cases.

Because right now, when the browser is set to clear cookies at the end, you can never see the actual expiration date and time of a cookie. Only "Session".

In my example the cookie lasts 1 hour. So it is confusing to read "Session" in the "Expires / Max-Age" column, since after 1 hour the cookie is actually gone. Even though the browser session never ended.

Thanks for the report!

I agree, the label feels a bit confusing and there are probably better ways to explain the user what the value means.

  • we can improve a label
  • we can improve a tooltip
  • we could also provide some learn more icon

Some more discussion is yet needed.

Honza

Blocks: 1312444
Severity: -- → S3
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Ever confirmed: true
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.