Home | Legacy Firefox Extensions | Content Policy | Contact

Cookie Controller


Unfortunately, Mozilla does not provide all the necessary APIs that would allow this add-on to be migrated to WebExtensions. If you want to continue using it after November 14, 2017, you might consider replacing your browser with Pale Moon, SeaMonkey or Waterfox. Many thanks for your feedback and support over the years.

Quick Setup
You can use Cookie Controller solely from the tools menu, but most people will want to install one or more of the toolbar buttons. Open the customise toolbar palette by right clicking on a toolbar and you will find three buttons that you can drag onto a toolbar anywhere you like. You can choose plain buttons where context menus are accessed using a right click, or menu-buttons where there is a dropdown marker next to the button for accessing the menu.

First drag the Toggle button, the one with a picture of Cookie Controller. This will be red or green, as Cookie Controller decides what your current configuration is closest to, but nothing has changed yet. Click the button to set global cookie permissions. Red indicates that all cookies are denied and this should be your normal setting. Green indicates that cookies are allowed, but only until the end of the session and not 3rd party cookies. The tooltip will always tell you what the current settings are, as well as the total number of cookies currently stored. I recommend that you also activate the "Force Off state at start" setting.

Now drag the yellow cookie Perm button. This will indicate the exact cookie permissions for the current page. When you do not have an actual web page or file loaded it will be disabled and grey. Different icons indicate at a glance whether the current page is allowed to set cookies and the tooltip will give more detail. The tooltip also indicates what action clicking the button performs, either to add or remove an exception for the current host, or you can choose the exact exception type from the menu.

Stop! You probably don't need the third button. If you think you really do, see the advanced configuration section. There are also masses of options on the button context menus and the tools menu, but you will rarely need those either. Simply let Cookie Controller be red and block cookies for you. If you trust a website and want it to remember your login or other settings, click the Perm button to give that site an exception. If you just want to allow cookies temporarily, perhaps when a stubborn website won't work without them, you can click the Toggle button to green and it will allow cookies until you close Firefox.

Advanced Configuration
The Toggle button
The Toggle button has a menu that allows you instant access to a number of cookie-related dialogs, as well as giving detailed control over the way the Toggle button works. These settings allow any cookie permissions setting supported by Firefox, including hidden options. The button context menu only shows you the options relevant to the current button state, but you can see all the options at once on the tools menu. To experiment with the settings you may find it easier to pin the config menu open using the pin icon, or to hold it open with the ctrl key while you change the settings.

The default toggle settings provide strong privacy by denying all cookies in the off state, while the on state allows access to sites that don't work properly without cookies but still maintaining your privacy by discarding them when Firefox is restarted. The same overall settings apply to DOM storage, which Firefox will not otherwise allow you to see or control.

The 3rd party cookies setting indicates whether cookies can be set which do not share the same domain as the current location showing in the Firefox location bar. These are frequently tracking cookies, but can also be used for legitimate purposes such as syndicated logins. If you allow cookies to be set, especially if you allow cookies that are persistent, then you would probably want to disable this. The visited only setting will not appear in older versions of Firefox. It allows third party cookies to be set only if the host has been visited, actually if are already cookies set for that host so visiting might not be sufficient. Permissions for the host to set 1st party cookies are unaffected. These settings do not apply to DOM storage which does not currently understand the concept of 3rd party.

The on state and the off state each have three more settings to protect your privacy, although not the same three. Expiration days limit is a setting which is hidden in recent Firefox releases and limits the lifetime of any cookie to a set number of days, indicated by the Toggle tooltip and changed in the about:config dialog. This only applies in the on state and clearly only applies if cookies are allowed to be stored.

Both the on and off states have settings for session only and ask about cookies. Either or both of these can be set. Session only on its own will limit all cookies to the length of the current Firefox session. Note that closing Firefox does not necessarily delete these entirely, and some cookies may be recovered after a restart if the previous session is restored. Cookies that do not relate to pages in the session store are irretrievably deleted when Firefox is restarted. The ask about cookies setting causes a dialog to display when a web page wants to set a new cookie or change an existing one. Turning on both of these settings produces a condition where session cookies are stored without asking and persistent cookies produce the ask dialog. This privacy state is not available from the Firefox options dialog.

Finally, in the off state there is a setting to deny all cookies which is self-explanatory. This overrides any other setings that may be checked. Some of the Toggle settings may be greyed out, indicating that they cannot currently be changed because it would create an illegal state. Typically this is a state where the off button is less restrictive than the on button. In some cases, choosing one setting for example the expiration days limit, will deselect others because the combination is invalid. In case of difficulty, try pinning open the tools menu so you can see which settings are conflicting.

The Perm button
The second button indicates the exact cookie permissions for the current page host. The icon gives an indication of the state by showing a green tick for allowing persistent cookies, a blue tick for allowing cookies for the duration of this session, a question mark if an ask dialog will be produced for each cookie, a hash/pound symbol if cookies are allowed but will expire after a particular number of days, or a red X if cookies are completely denied. In all cases, the tooltip will indicate in detail the privacy settings for the current page, including the state of third party cookies and DOM storage. Privacy settings for a page may be from the default global settings, or by virtue of an exception that applies to the page.

The tooltip also indicates what action will be performed by left clicking the button. This can also be seen on the right click context menu. There are five radio menu items (four in older versions), one of which shows the current privacy setting which can either be the same as the global settings or an exception for this web site. The bold entry indicates which setting will be applied by clicking the button, or you can select a different setting to add, change, or remove an exception for this host. Allow and deny exceptions are self-explanatory. An allow for session setting allows cookies to be stored, but they will be deleted no later (possibly earlier) than the end of the current session. The recommended exception type, give that you should be browsing with cookies denied globally, if to allow 1st party only. This means that pages belonging to the current host can set (and retrieve) cookies, but that it can't if it would be a third party on a different page. Occasionally this may be too restrictive, for example if you want to access some Facebook functions embedded in other pages and requiring cookies.

The domain name for which exceptions are set can be controlled by two settings on the context menu. It is possible to remove either just any initial "www." or to remove all subdomains, for example stripping scholar.google.com and storing exceptions for google.com. Note that this can cause exceptions set on one page to apply to another with a different subdomain, for example images.google.com. It is possible for there to be conflicting exceptions set at several different levels of a domain hierarchy. You can examine these in detail using the exceptions dialog, but removing and resetting them using the Perm button should remove conflicts and leave you with just an exception according to your current Cookie Controller settings.

The Perm button context menu can also show you all the cookies for this domain, and all the DOM storage items for this origin (scheme plus host plus port). A tooltip will show you the item contents and you can remove it by clicking, or remove all by clicking the relevant menuitems. These options can optionally be hidden from the Perm button and Toggle button context menus.

The Tidy button
The third and final Cookie Controller button is the Tidy button, showing a crosshair on an unfortunate cookie. It allows you to delete some or all cookies (or DOM storage) by clicking the button, as well as showing cookie and DOM storage items counts and each individual item. If you need this button, you are probably doing it wrong! If you feel the need to manually delete cookies then your privacy settings, as controlled by the Toggle and Perm buttons, are perhaps wrong. Why allow such cookies on your computer in the first place, or why allow them to last beyond the end of the session or a limited number of days.

So if you really want to see how many cookies each web site has then you can drag the Tidy button onto a toolbar. The tooltip will describe the number of session cookies, persistent cookies, session storage, and local storage items relevant to the current page, as well as totals for Firefox. DOM storage grand totals are not available because Mozilla doesn't feel you have the right to this information. Even cookie counts are not available in private browsing windows because again Mozilla doesn't feel you need to know. You'll just have to trust them when they say they are removed at the end of the session. Reporting and viewing DOM storage is not always accurate. There are a number of outstanding bugs related to session and local storage, although Firefox versions from around 21 are correct most of the time.

Be careful because clicking the Tidy button will remove something and usually it won't ask you first. The tooltip tells you what will be removed, or you can remove a different set of cookies using the right click context menu. Trying to remove every cookie, and all DOM storage, will produce a confirmation dialog, but you can set this not to show if you feel really brave.

The Tools menu
To see all available Cookie Controller settings, open the tools menu and click on Cookie Controller. The tools menu is no longer visible by default and Cookie Controller is not on the Firefox app button to reduce clutter. You can still show the menu toolbar if you wish to use a function that is not available from the Firefox button, such as the Cookie Controller tools menu. The tools menu is also more accessible using only the keyboard. Or you can configure the Cookie Controller tools menu to a location of your choice using a menu editor addon.

Temporary Exceptions
Normally when you set an exception using the Perm button, it lasts forever until you change it or remove it. It is also possible to set an exception just until the end of the current session, so once you restart Firefox that web page will be back to the permissions it had previously. This is done using modified clicks on the Perm button or menu. You can use a middle-click or hold down the CTRL key, then that permission will be temporary. This may be a more convenient way of temporarily allowing permissions to websites that appear not to be working without cookies, but you should probably only use it to allow session cookies so that the cookies themselves are as temporary as the exception that allows them.

For more details on what is happening behind the scenes, read the developer comments at the bottom of this page.

Download files:


This page is part of the LegacyCollector website.
Disclaimer: All material on this site is property of their respective owners and available under
open licenses to the best of our knowledge. If you are an author and would like anything removed,
then please write an e-mail to legacy [at] collector dot org.