October
2009

Firefox, localhost, cookies and a stupid RFC

Like most web developers, my main browser for development and testing is Firefox. Not that I particularly like it, in fact I absolutely dislike Firefox, it’s terribly slow compared to Safari, Javascript performance is poor, after a while it takes up almost as much memory as Photoshop and it’s from Mozilla, which had once been a hero in the web community but recently is doing whatever they can to lose sympathy. Interesting statements, by the way, from an organisation, that gets around 85% of their funds from Google. If there wasn’t the essential Firebug plugin, there would be no reason for me to use Firefox except for testing my work for compatibility.

When I build a website, of course I use a local web server to build the site before I push it to the live server. Something I don’t really like is using long URL’s like http://localhost/chipsandtv/ to access my project, you often run into problems with paths when building a site from a subdirectory when later it should run from the webserver root. So I prefer to set up a short URL like http://chipsandtv/ by setting up a new host name and a new Apache virtual host. Unfortunately for quite some time already I always had the issue that Firefox was not accepting cookies from localhost, whatever settings I used. All other browsers worked fine.

If you do a Google search for ‘Firefox cookies on localhost‘ you’ll find a lot of posts and bug reports from people who have the same problem. No matter if you use http://chipsandtv/ or http://localhost/chipsandtv/, Firefox is always rejecting cookies. Until today the only workaround I found was to use the IP instead of the name localhost, something like http://127.0.0.1/chipsandtv/, then it works without problems. But still it’s running from a subdirectory, and frankly it’s an ugly URL when using the IP.

So far I believed it was a Firefox bug but today I started another desperate attempt to find a solution and found this post, only a few hours old. It seems like it is not a bug but a feature in Firefox. In RFC2965, titled HTTP State Management Mechanism, it is defined (section 3.3.2) that browsers should reject cookies when any of the following rules are true:

  • The value for the Path attribute is not a prefix of the request-URI.
  • The value for the Domain attribute contains no embedded dots, and the value is not .local.
  • The effective host name that derives from the request-host does not domain-match the Domain attribute.
  • The request-host is a HDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
  • The Port attribute has a “port-list”, and the request-port was not in the list.

Essentially this means cookies from URL’s like http://chipsandtv/ or http://localhost/chipsandtv/ will be rejected for security reasons because the URL’s contain no dots. If you rename your host name to http://chipsandtv.local/ it will work because .local is explicitly allowed.

Conclusion

Renaming all my local hostnames to http://hostname.local/ solved the problem for me, although I still think it’s rubbish. I want to use a hostname without the .local extension. In WebKit (e.g. Safari) it works fine, only Mozilla causes problems. You can’t blame them for having a faulty browser engine here, but you can blame them for overactively implementing security recommendations. After all the above RFC is almost 10 years old, back then only the mentioning of cookies caused people to panic. Today however cookies are a widely adopted technology and browsers handle it well. Attacks using malicious cookies are not very common anymore as far as I know.

After disovering the exclusion of the Javascript click() method for elements like file inputs, this is already the second time in the last few weeks that I’m really annoyed with Mozilla because of their overactive security restrictions. I’m looking forward to the day when Apple gives Safari a nice developer extension like Firebug. Then I can finally drop Firefox as the main development browser (and remove all the ugly .local extensions from my hostnames again…).

Comments

  • brod

    I have the same issue. Thanks for the post and yes the ‘security’ rule is questionable. They could at least have a message poping up to explain why the cookie is rejected.

  • Roger

    I’ve actually got the reverse problem from you. I set up VMs running similar setups as the production servers in order to get things running smoothly. I then set up test domains like example.ubuntu or example2.win only webkit doesn’t seem to like these, while firefox does!

    Tried changing to .local (as I know Apple likes this extension) with no luck either.

  • Aqua

    If you’re using PHP, you can set cookies for the localhost domain that are honored by Firefox:

    In the PHP setcookie function, set the domain parameter to an empty string for domains that are locally hosted. Firefox will honor these cookies.

    For example:
    setcookie('name', 'value', time() + 60, '/', cookie_domain(), false);

    function cookie_domain () { return strpos($_SERVER['HTTP_HOST'], '.', 1) === false ? '' : $_SERVER['HTTP_HOST']; }

  • Adam

    I haven’t found your explanation to be entirely true. I’ve also been having the difficulty with firefox, cookies, and a locally run Apache install….however, I set up my server as myserver.dev and all my sites are subdirectories – i.e. myserver.dev/chipsandtv

    The .dev part made no difference than just calling it plain localhost and the only thing that worked was when I used the 127.0.0.1 to access the site.

    Maybe I’ve been having a slight variation of a similar bug, but the only surefire fix I know of for this is to, as you posted in the article, use 127.0.0.1

    • Matt

      Hi Adam, try changing .dev to .local and see if it makes a difference. .local is explicitly mentioned in the RFC and works fine for me.