Firefox cookie database
Dan Tobias (Talk | contribs) (→Links) |
m (Links, brackets, and parentheses.) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
}} | }} | ||
− | Cookies in Firefox are stored in an [[ | + | Cookies in Firefox are stored in an [[SQLite]] format database found in the file '''cookies.sqlite''' in the currently-active user profile directory (exact path is system-dependent). Also, the write-ahead-logging and shared-memory files '''cookies.sqlite-wal''' and '''cookies.sqlite-shm''' are used, but the latter two are re-integrated into the main database file and deleted when you close the browser. |
The structure is seen in this SQL command embedded in the file: | The structure is seen in this SQL command embedded in the file: | ||
− | CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT,expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER, baseDomain TEXT, creationTime INTEGER) | + | <code>CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER, baseDomain TEXT, creationTime INTEGER)</code> |
+ | |||
+ | == Firefox Contextual Identity Project (Containers) == | ||
+ | Firefox has implemented OriginAttributes in internal APIs to support features like [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/ Multi-Account Containers]. Based on that, the same cookie name at the same host on the same path may return multiple values due to different originAttributes values (representing different containers). | ||
+ | |||
+ | As of Firefox 104 (released 2022-08-23), the '''cookies.sqlite''' schema is: | ||
+ | |||
+ | <code><nowiki>CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, originAttributes TEXT NOT NULL DEFAULT '', name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, inBrowserElement INTEGER DEFAULT 0, sameSite INTEGER DEFAULT 0, rawSameSite INTEGER DEFAULT 0, schemeMap INTEGER DEFAULT 0, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes))</nowiki></code> | ||
+ | |||
+ | {| class="wikitable" style="margin-left: 0px; margin-right: auto;" | ||
+ | |+ Human-Friendly Schema | ||
+ | |- | ||
+ | ! Field Name !! Type !! Schema !! Notes | ||
+ | |- | ||
+ | | <code>id</code> || <code>INTEGER</code> || <code>PRIMARY KEY</code> || SQLite unique row ID | ||
+ | |- | ||
+ | | <code>originAttributes</code> || <code>TEXT</code> || <code><nowiki>NOT NULL DEFAULT ''</nowiki></code> || Values mapped to containers in <code>conatiners.json</code>. Some containers, like the one for extensions (<code>userContextIdInternal.webextStorageLocal</code>), will always exist even if the Multi-Account Container or Firefox Container extensions are not installed. | ||
+ | |- | ||
+ | | <code>name</code> || <code>TEXT</code> || || Cookie name | ||
+ | |- | ||
+ | | <code>value</code> || <code>TEXT</code> || || Cookie value | ||
+ | |- | ||
+ | | <code>host</code> || <code>TEXT</code> || || Hostname that owns the cookie | ||
+ | |- | ||
+ | | <code>path</code> || <code>TEXT</code> || || Pathname that owns the cookie at the host | ||
+ | |- | ||
+ | | <code>expiry</code> || <code>INTEGER</code> || || Cookie expiration in standard [[Unix time|Unix timestamp]] format | ||
+ | |- | ||
+ | | <code>lastAccessed</code> || <code>INTEGER</code> || || Cookie last accessed time in microseconds since the [[Unix time|Unix epoch]] | ||
+ | |- | ||
+ | | <code>creationTime</code> || <code>INTEGER</code> || || Cookie creation time in microseconds since the [[Unix time|Unix epoch]] | ||
+ | |- | ||
+ | | <code>isSecure</code> || <code>INTEGER</code> || || Send/receive cookie over HTTPS only. Set in Set-Cookie header | ||
+ | |- | ||
+ | | <code>isHttpOnly</code> || <code>INTEGER</code> || || Access to the cookie via client-side script is prevented. Set in Set-Cookie header | ||
+ | |- | ||
+ | | <code>inBrowserElement</code> || <code>INTEGER</code> || <code>DEFAULT 0</code> || [https://bugzilla.mozilla.org/show_bug.cgi?id=756648#c11 Legacy Firefox OS setting to create "cookie jars"] | ||
+ | |- | ||
+ | | [https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute <code>sameSite</code>] || <code>INTEGER</code> || <code>DEFAULT 0</code> || Cookies should only be readable by the same site that set them. Set in Set-Cookie header | ||
+ | |- | ||
+ | | <code>rawSameSite</code> || <code>INTEGER</code> || <code>DEFAULT 0</code> || [https://bugzilla.mozilla.org/show_bug.cgi?id=1551798#c19 "Preserve the 'on the wire' value (of the SameSite cookie), meaning the value found in the Set-Cookie header"] | ||
+ | |- | ||
+ | | [https://web.dev/schemeful-samesite/ <code>schemeMap</code>] || <code>INTEGER</code> || <code>DEFAULT 0</code> || [https://bugzilla.mozilla.org/show_bug.cgi?id=1638358#c0 Consider different "schemes" (meaning http vs https) to be different sites] | ||
+ | |} | ||
+ | |||
+ | The '''<code>CONSTRAINT</code>''' clause makes SQLite require the quadruple of <code>name</code>, <code>host</code>, <code>path</code>, <code>originAttributes</code> to be unique. | ||
+ | |||
+ | == Datetime formats == | ||
+ | There are 3 dateime fields: '''expiry''', '''lastAccessed''', and '''creationTime'''. | ||
+ | |||
+ | <code>expiry</code> is stored in standard [[Unix time|Unix timestamp]] format. In SQLite, this can be converted to a human-readable format with <code>datetime("expiry", 'unixepoch')</code>. | ||
+ | |||
+ | However, <code>lastAccessed</code> and <code>creationTime</code> are in microseconds since the [[Unix time|Unix epoch]]. To convert to a human-readable format in SQLite use <code>datetime(("creationTime"/1000000),'unixepoch')</code>. | ||
== Links == | == Links == | ||
* [http://news.cnet.com/8301-1023_3-57591052-93/ad-group-blasts-cookie-privacy-project-from-mozilla-stanford/ Ad group blasts cookie-privacy project from Mozilla, Stanford] | * [http://news.cnet.com/8301-1023_3-57591052-93/ad-group-blasts-cookie-privacy-project-from-mozilla-stanford/ Ad group blasts cookie-privacy project from Mozilla, Stanford] | ||
* [http://blogs.computerworlduk.com/open-enterprise/2013/08/did-you-know-that-mozilla-is-hijacking-the-internet/index.htm Commentary on Digital Advertising Alliance's criticism of Mozilla] | * [http://blogs.computerworlduk.com/open-enterprise/2013/08/did-you-know-that-mozilla-is-hijacking-the-internet/index.htm Commentary on Digital Advertising Alliance's criticism of Mozilla] | ||
+ | * [https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/ Self-destructing cookie plugin: removes cookies when you close a tab] | ||
+ | * [https://www.i-dont-care-about-cookies.eu/ Plugin to get rid of cookie warnings] | ||
+ | * [https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers Mozilla Wiki - Security/Contextual Identity Project/Containers] | ||
+ | |||
+ | [[Category:SQLite based file formats]] | ||
+ | [[Category:Mozilla]] |
Latest revision as of 17:31, 5 October 2022
Cookies in Firefox are stored in an SQLite format database found in the file cookies.sqlite in the currently-active user profile directory (exact path is system-dependent). Also, the write-ahead-logging and shared-memory files cookies.sqlite-wal and cookies.sqlite-shm are used, but the latter two are re-integrated into the main database file and deleted when you close the browser.
The structure is seen in this SQL command embedded in the file:
CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER, baseDomain TEXT, creationTime INTEGER)
[edit] Firefox Contextual Identity Project (Containers)
Firefox has implemented OriginAttributes in internal APIs to support features like Multi-Account Containers. Based on that, the same cookie name at the same host on the same path may return multiple values due to different originAttributes values (representing different containers).
As of Firefox 104 (released 2022-08-23), the cookies.sqlite schema is:
CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, originAttributes TEXT NOT NULL DEFAULT '', name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, inBrowserElement INTEGER DEFAULT 0, sameSite INTEGER DEFAULT 0, rawSameSite INTEGER DEFAULT 0, schemeMap INTEGER DEFAULT 0, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes))
Field Name | Type | Schema | Notes |
---|---|---|---|
id |
INTEGER |
PRIMARY KEY |
SQLite unique row ID |
originAttributes |
TEXT |
NOT NULL DEFAULT '' |
Values mapped to containers in conatiners.json . Some containers, like the one for extensions (userContextIdInternal.webextStorageLocal ), will always exist even if the Multi-Account Container or Firefox Container extensions are not installed.
|
name |
TEXT |
Cookie name | |
value |
TEXT |
Cookie value | |
host |
TEXT |
Hostname that owns the cookie | |
path |
TEXT |
Pathname that owns the cookie at the host | |
expiry |
INTEGER |
Cookie expiration in standard Unix timestamp format | |
lastAccessed |
INTEGER |
Cookie last accessed time in microseconds since the Unix epoch | |
creationTime |
INTEGER |
Cookie creation time in microseconds since the Unix epoch | |
isSecure |
INTEGER |
Send/receive cookie over HTTPS only. Set in Set-Cookie header | |
isHttpOnly |
INTEGER |
Access to the cookie via client-side script is prevented. Set in Set-Cookie header | |
inBrowserElement |
INTEGER |
DEFAULT 0 |
Legacy Firefox OS setting to create "cookie jars" |
sameSite |
INTEGER |
DEFAULT 0 |
Cookies should only be readable by the same site that set them. Set in Set-Cookie header |
rawSameSite |
INTEGER |
DEFAULT 0 |
"Preserve the 'on the wire' value (of the SameSite cookie), meaning the value found in the Set-Cookie header" |
schemeMap |
INTEGER |
DEFAULT 0 |
Consider different "schemes" (meaning http vs https) to be different sites |
The CONSTRAINT
clause makes SQLite require the quadruple of name
, host
, path
, originAttributes
to be unique.
[edit] Datetime formats
There are 3 dateime fields: expiry, lastAccessed, and creationTime.
expiry
is stored in standard Unix timestamp format. In SQLite, this can be converted to a human-readable format with datetime("expiry", 'unixepoch')
.
However, lastAccessed
and creationTime
are in microseconds since the Unix epoch. To convert to a human-readable format in SQLite use datetime(("creationTime"/1000000),'unixepoch')
.