Cookies set to "Never" but Safari now accepts all cookies anyway

I just moved to Lion from 10.6.8 last week. Under Snow Leopard I had been managing cookies as documented here:

https://discussions.apple.com/thread/3140339?answerId=15972713022#15972713022

As nicoladie noted, cookies in Lion are not stored in the same place as under Snow Leopard. Lion did not replace or delete the Snow Leopard cookies file, /Users/<name>/Library/Cookies/Cookies.plist; but it no longer writes to it. Also, the cookies that were present in that file were *not* copied over to the Lion environment in the upgrade / installation process.

Lion does indeed stash its cookies in /Users/<name>/Library/Cookies/Cookies.binarycookies. You can use the Terminal (Unix) command 'strings' to locate Ascii strings in this binary file. The following counts all sites that have set cookies and then lists them:

cd /Users/<name>/Library/Cookies

strings Cookies.binarycookies | egrep -c '^\.'

strings Cookies.binarycookies | egrep '^\.'

So I have now added these lines to my cookie-cleaning script, which I run by hand each time I quit Safari:

cd /Users/<name>/Library/Cookies/

cp Cookies.binarycookies prev-Cookies.binarycookies

cp good-Cookies.binarycookies Cookies.binarycookies

Before establishing good-Cookies.binarycookies, I visited Safari Preferences > Privacy > Details... and cleaned out unwanted cookies. Since Safari as of 5.1 no longer gives you the granularity to list or delete individually a site's cookies, cache entries, and local storage -- but only all of them together -- I first cleaned out the cache via Safari > Clear Cache...

Ok, I think I found out where the bug is.

First, when you launch Safari, if you left its Preferences window open when you quit last time, you will discover that it sets the "Block cookies:" to "From thrid parties and advertisers" even though you set it to "Always" before.

In a split second later, it will set it back to "Always". This provides a leak to allow cookies to be set, even though you previously set it to always block it.

Second, because Lion preserves the previous state of the app when you quit, and persists the same state when you next launch it, it means when you left browser windows open while you quit, those websites will be re-visited again on launch. Because Safari set the cookies block to "From thrid parties and advertisers" on launch, it allows the cookies to leak in that split second before it re-sets it back to "Always".

That is why it appears cookies were never blocked, but the cookies were really blocked, except during launch, it allows cookies to be set, before blocking it a second later.

This is a classic bug for not setting the init condition correctly. Stupid Safari keeps resetting the init default for cookie-block as "From thrid parties and advertisers" instead of setting the init condition to what the user had set in Preferences last time.

So the workaround is always close all the browser windows when you quit Safari. Don't give it a chance to re-open those windows revisiting the previous websites (with cookies enabled during the split second when Safari is re-launched).

I discovered another source of problem why cookies keep reappearing when re-launched.

If you "Empty Cache...", and re-launch again, those cookies will disappear.

Safari should not re-use the cache that are out-dated. I know Lion wants to restore the previous state when re-launch, but restoring the cookies from cache is not the correct way to do it.

What this means is that Safari actually accepts all cookies and put them in cache even when you block all cookies as specificed in Preferences. That is a no-no practice. The cookies should not even be accepted and stored in cache in the first place!

Who wrote the Safari code? Seems like it is written by a hacker instead of a professional programming.

So here is the fix:

* If you see strange cookies that are not supposed to be there, "Empty Cache..."

* Re-launch Safari, all those extra cookies will disappear.

Thanks for confirming everything I thought doing those same tests and watching cookies fire right back in.

That is correct. "Always" means always go away. Always is the new never.

.

I deleted my above comment b/c 'Local Storage' came back, which I mention later as to why....

Both found by Google:

1) To prevent a particular site from using local storage ever again (say, samy.pl, home of and test site for evercookies), exit Safari and run these two commands:

cp /dev/null ~/Library/Safari/LocalStorage/http_samy.pl_0.localstorage

chmod 0 ~/Library/Safari/LocalStorage/http_samy.pl_0.localstorage

2) Search Applications for anonymous surfing. The app, which I do not want Apple to block has been successful, but there are plenty of these applications and may do the trick as well.

I don't know if it helps, but I add 'Block Pop-Up', 'Private Browsing' and limit 'Cookies' to 'Always' or from '3rd Parties', etc...

Lastly, it isn't perfect. I must have the application running before the start of my Safari 5.1.2 on OSX 10.6.8 and do not seem to get any 'Local Storage' issues most of the time, now it just saves 'Cache'.

Hope this helps and did not read anyone trying Anonymous Surfing software.

I may try That.

In General for others,

NEVER follows - Block Cookies, why is this complicated?

It's saying always allow all. Of course Apple could have just used the simpler term.

No options on ALWAYS - Block.

We pick the 10 we need, the rest never get in.

For some reason, money incentive perhaps, impossible to make active.

And the next settings -

LIMIT website access to location services - very strange.

Makes me wonder,

how Apple would write trafffic laws for the road using alternatives that sorta suggest stop.

nicoladie wrote:

So here is the fix:

* If you see strange cookies that are not supposed to be there, "Empty Cache..."

* Re-launch Safari, all those extra cookies will disappear.

Nic,

Try this next time to see if you get better results.

I never see much result with 'Empty Cache", maybe 2% of RAM is effected.

What I do now,

Kill Safari Web Content in Activity Monitor.

I instantly gain 47% of my RAM back when it was maxed out of 4GB on MBP,

and overall system running sluggish.

That is not true.

Safari always accepts ALL cookies (and put them in Cache), independent of what privacy setings you had set in preferences, i.e., it disregards whether you set it to block "always", "never" or "from 3rd parties and advertisers".

If you visit a website that requires cookies, the website will detect that Safari rejected the cookie. But, in reality, Safari never rejected the cookie. It simply tells the website it rejected it, but quietly accepts the cookie, and save it in Cache. That is the problem!

You may not see all the rejected cookies showing up during the current browsing session. But if you quit and re-launch Safari, all your blocked cookies will show up, and reappear. They came back alive in the next browsing session.

That is unwarrented behavior is due to 2 causes:

1. Lion preserves the previous state of the app, and pulls all the saved cookies from cache and populates your cookies storage when you re-launch again. That is why they reappear in your next launch.

2. Safari always "enable cache" whenever you re-launch it, even though you had previously "disable cache" from the "Develop" menu (if you had turned on the Develop menu in Advanced mode) in your previous browsing session.

This is caused by 2 bugs in Safari:

1. It should never save the cookies in cache (in the first place), even when you had disabled cookies( by set cookies to be blocked in preferences.)

2. It should never reset and enable cache when you re-launch Safari, even when you had disabled cache before.

Until Apple had fixed these 2 bugs, the workaround is:

1. Close all windows before you quit Safari.

2. Then empty cache befoer quitting Safari.

3. Relaunch Safari, and empty cache immediately.

4. Relaunach Safari one more time.

This will clear all you unwanted cookies and unwanted caches.

I should of mentioned I'm on 10.6.8.

Might not apply in this case.

But for sure the RAM gain is marvelous as described.

If I set cookies other than 3rd party, or never, I can't get in here, or gmail.

You have to enable cookies whenever you visit a website that requires log-in. So cookie is the necessary evil in HTTP. There is no way around this, except to accept the cookie if you ever need to log into a website (via HTTP).

(That is because HTTP is a stateless communication protocol - it does not remember who you are when you visit them. The only way they can remember and verify your log-in identity definitively is the use of cookie, which they deposit a secret code in your computer cookie and verify that secret code when you communicate with the website. Otherwise, it will forget you as the logged-in user, and cannot verify your identity as authenticated.)

The problem is, even if you blocked all cookie, if you enable the cookies (because you need to log into a website), all the unwanted cookies prior to that will reappear (even though you had just blocked them).

This issue is independent of whether you are running 10.6.8 or 10.7. All the unwanted cookies prior to your enabling during the same session will re-appear, as soon as you turn cookies on to log into a website. You don't have to re-launch Safari to see the unwanted cookies to re-surface.