Firefox Quantum 63.0.3 (x64)]
By default the browser is set to delete all cookies on exit (a stupid oversight because it completely breaks any configuration designed to retain cookies, and makes any kind of cookie-based auto-login absolutely impossible outside of the fix detailed below).
- about:config > privacy.clearOnShutdown.cookies :: false
- install Cookie Quick Manager Firefox addon
- select and use the above addon on the browser top menu bar: Cookie Quick Manager > Manage All Cookies and use it to lock the cookies required for the desired auto-login(s) (appending the padlock symbol to them) and to delete any other (unwanted) cookies by clicking on the trash bin icon (note: this will log you out of any active sessions, clear form data, etc. so do not do this during any site transactions or whilst filling in any online forms).
- again click on the top menu bar Cookie Quick Manager icon and select Options from the drop-down menu
- untick Prevent sites from clearing protected cookies, even if they are expired (this helps to avoid session-reuse compromises by ensuring that the auto-login session can expire and be periodically refreshed), and tick Delete all cookies on restart and Always open Cookie Quick Manager in new tab.
Cookie-based auto-logins should now work as expected, but some further fine-tuning of the browser options may be required in some cases. The Electronic Frontier Foundation (EFF) Privacy Badger addon
is also highly recommended, as is the Canvas Blocker addon
for dealing with browser fingerprinting.
ticking Automatically Log out when all browsers are closed and Firefox has been closed for (mins)
or Automatically Log out after idle (mins)
will completely break auto-login functionality in both Firefox Quantum and Ice Dragon unless custom settings for history are used, with the browser cache always being retained (definitely not good from a security or privacy perspective).
Two factor authentication should be used to mitigate potential issues with this; unfortunately options here are limited as Lastpass have, to date, refused to implement U2F, FIDO, and FIDO2 and have confirmed that they have absolutely no plans, or intention, to do so either now or at any point in the future. It is to be hoped, however, that loss of market share to competitors will encourage them to re-consider this ignorant approach to 2FA.
- Tachwedd 2018
- Just John, @: Ex5NY27U corequery.uk
- secure email address as detailed above -