Can I whitelist cookies from certain websites?
June 2, 2021 3:23 AM   Subscribe

I'd like to be able to whitelist cookies, especially login cookies, on certain websites, so they won't expire. Can I? How? Can't I? Why?

I suspect this isn't possible, so explanations on why that is are also welcome -

I'd like to whitelist the cookies from selected websites that I trust and use frequently. Notably the login cookies for services I'm subscribed to. In general I'd like to just let a few websites go nuts, since that's what I do anyway. I just want to waste less time on clicking through the same dialog boxes, logging in, filling out captchas, all that.

I'm on a mac running Big Sur, currently I use Safari. I also use Safari on iOS.

I might be convinced to switch browsers if something else does this better.

A plugin that'd answer gdpr questions on certain websites with a negatory would be cool too, but I can't imagine that could work, but it doesn't hurt mentioning.

I feel like I don't know enough about this topic, the boundaries of GDPR and so on, so explanations are especially welcome, even if you don't have the solution to the problem.
posted by svenni to Computers & Internet (11 answers total) 1 user marked this as a favorite
 
Best answer: I feel your pain. Have you seen this plugin? As a developer, trying to think about how to keep your cookies from going away, and I'm not sure you could...
posted by johngoren at 4:24 AM on June 2, 2021


Best answer: There are cookie editor programs: e.g. https://chrome.google.com/webstore/detail/cookie-editor/hlkenndednhfkekhgcdicdfddnkalmdm?hl=en which will allow you to change the expiration dates but I don't think this technique will solve your problem.
posted by Obscure Reference at 4:47 AM on June 2, 2021


Best answer: Many sites will eventually invalidate your cookie from the server side. That is, they will see your cookie, say "yup, that's a valid login cookie but from too long ago" and make you login again as a security measure. Nothing you can do about that.
posted by goingonit at 4:56 AM on June 2, 2021 [9 favorites]


goingonit has the correct answer, but as a mitigation: do you have a password manager? Once primed with your logins (which I admit can be annoying), it makes repeated logging-in much less of a hassle.
posted by humbug at 5:08 AM on June 2, 2021 [2 favorites]


To expand on goingonit’s answer: when a site sets a cookie it sets how long it should last for. That’s either “this session” (until you close the tab/window) or for a certain length of time. So, unless you’re able to edit that in your browser (I’ve never tried) it’s not possible.

From memory, years ago, it used to be more common to give cookies a long time to expire. But as security has become an increasingly bigger factor, I think that’s more frowned upon now.
posted by fabius at 5:16 AM on June 2, 2021


Depending on your browsing habits and your willingness to change browsers, you may like Firefox's support for cookie allowlists. It is however well hidden among Firefox's dozens of other privacy/security settings. As others point out, you can't extend the lifetime of the cookies (websites decide that) but you can choose to keep some for their full lifetime while allowing others to expire sooner or blocking them outright.

In my case (Firefox 85 on Linux) the settings live in Preferences > Privacy & Security. I prefer to select "Delete cookies and site data when Firefox is closed" so that, by default, cookies will disappear when Firefox is closed. (This assumes that you do actually close the browser from time to time; I guess some folks with 2000 open tabs may not.)

Then, for the sites where you want to maintain cookies indefinitely, visit the "Manage Exceptions..." dialog. Here you can enter a domain and hit "Allow" so that it isn't subject to deletion when Firefox closes. Usually you'll want to use just the top-level domain ("metafilter.com" instead of "www.metafilter.com") If you visit a different dialog on the same page ("Manage data...") you can view which cookies are known to Firefox, so if you restart the browser and only your desired cookies are present, you know that your Allow settings are working.

It's also possible to block cookies outright for non-Allowed sites (Enhanced Content Protection > Custom > Cookies > All Cookies) but this will cause most modern sites to break. In practice I find that allowing cookies for the lifetime of a browser session is the best compromise between privacy and usability.
posted by SaurianNotSaurian at 6:22 AM on June 2, 2021 [2 favorites]


Best answer: As a web developer, that had a few courses in security, with a tinge of paranoia, I would not trust any cookie that I can read unless I can validate it with my server-stored token and/or logic to make sure the cookies are not tampered with, at least for serious stuff like login. It's fine for user-config like color scheme, column width of tables, and such.

Cookies are something invented decades ago when both web servers and web browsers are far less sophisticated. They are outdated and has no security mechanism, and thus, cannot be trusted at all for logins and such.

With that said, you cannot set the expiration of cookies (without extensions and plugins). The website sets that. And any website that doesn't validate the value deserves to be hacked.
posted by kschang at 11:02 AM on June 2, 2021


Like SaurianNotSaurian, I used Firefox to selectively allow cookies from certain sites, using the "Allow For Session" option so that the cookies are deleted when I close the tab (or the entire Firefox session).

It's slightly annoying to add individual site URLs to the list, but at this point, I can do it in about 30 seconds. And once you do it for a given site, you never have to do it again.
posted by Artifice_Eternity at 11:40 AM on June 2, 2021


Seconding that the answer to this class of problem is to use a password manager. You don't have that level of control over how a site handles its own cookies for determining things like logins.
posted by Aleyn at 4:54 PM on June 2, 2021


There's a good app on the Mac App Store called "Cookie" by SweetP Productions which definitely gives you control of which cookies are saved and deleted. Frequently updated and worth the low cost.
posted by conrad53 at 6:08 PM on June 2, 2021


Oh lord yes, whitelisting cookies by site is absolutely a thing, I've been doing it for 20 years. For most of that time I was using the CookiePal extension on Firefox, literally the only extension I would install on every FF install. Then that extension evaporated, and I eventually settled on Cookie Autodelete, which is a poor substitute but was the best I could find and works well enough. Cookie Autodelete is available for Firefox and Chrome. Yes you should switch browsers.

Greylisting is also a thing, where it will allow cookies from a site for the "session", keeping the cookies until your restart the browser and then deleting them, regardless of when they expire. Very useful for sites that require cookies to function (grrrr) but for which you are not logging in and don't want them remembering you for years.

I have all cookies blocked by default and then whitelist the sites that I need to log into. Alas, it doesn't work so great for some website login systems, because apparently company.com is using weird domains (notcompany.com) for their login process, and I can't whitelist them. For those sites, I just start up an incognito window in the other browser program, which is set to accept everything, but the incognito mode then wipes it out later. But that's really just a corner case for a few websites. In general, the block-most and whitelist-a-few method works just fine.
posted by intermod at 9:05 PM on June 2, 2021 [1 favorite]


« Older US bank account for US citizen but not resident   |   Is my workout routine nonsense? Newer »
This thread is closed to new comments.