Today I realized Walmart has managed to bypass the private window options and place cookies anyway! To say I'm furious about this is an understatement.

The good news is, any private window cookies accepted from Walmart are still stored in memory only, not written to disk. You should see a zero cookie count for Walmart in the Manage Data dialog. But why do you see non-zero storage? I researched the question last month for a Reddit thread:

Historically, private window data would not be committed to disk at all, and therefore would never appear in the Manage Data dialog. Therefore, as a shortcut, the developers blocked pages in private windows from using standard DOM storage and IndexedDB, which caused some site breakage and provided an easy way to detect that you were in a private window. The solution selection was to store the data to disk in encrypted folders with inscrutable names, starting around Firefox 115.

Those folders can be found at

[profile.folder]\storage\private

(You can view your profile folders. See: Profiles - Where Firefox stores your bookmarks, passwords and other user data)

This data is still restricted to use in the private session in which it was saved, and should not be accessible to the same site in a regular window. What is supposed to happen with this data is:

(1) When you close the last private window, Firefox flushes private storage the same as it does with cookies

(2) Because that wasn't completely reliable, there is code that runs at startup to remove any lingering private storage folders

Regarding the Manage Data dialog, apparently it wasn't intended that private window entries be listed there. Now that they are, there isn't a clear plan on what to do about it. Per comments in bug 1868448, it is considered confusing but cosmetic. Judging from user reactions, it may be a mistake to consider it merely cosmetic.

I absolutely appreciate all you are saying and what has happened as you described (most of it anyway - still rough on some of the tk tho).

The $64 Q here is can it be used as a bypass to circumvent other barriers and eventually wind up where it shouldn't be (where the consumer doesn't want it that is, tho of course the corp entity most certainly does want it to go further) or provide a path for others to follow and figure out how to do that? I can totally see the profit-motive here at work trying to find what it is consumers are looking for. Walmart is already bumping up to Amazon trying to hedge in on the online market.

Also the point is unless this glitch is fixed I, the user, will not necessarily know at what point it HAS been fixed or now is just there and I must keep manually removing it on my own.

Thanks for ALL your hard work keeping us at least as safe as is possible. It is greatly appreciated by many even if you don't always hear it!

Hi Linda, they did check to make sure that private window data is still isolated.

I do think there is a possibility of "connecting the dots" even with cookie isolation. The reason is that the requests in different contexts (first party - on their site, and third party - on another site with content embedded from their site) still come from your same IP address. But I don't know that this is a major issue with Walmart at this point, unlike the pervasive Facebook Like buttons or Amazon affilliate ads.

It's horrifying to me to think that my IP address is not protected via a private window which I understood is part of the protection offered in using a private window; at least it used to be.

I know that some sites have asked my computer for my location as it was not able to be determined because I was *in* a private window so what you are suggesting is even more troubling than the original question.

Unfortunately, private/incognito mode doesn't reroute your requests to come through a different IP address. You would need to use a VPN for that. Mozilla offers as VPN as an extra cost product, but there was never one built-in. The only browser I've heard includes a VPN is the Opera browser.

Who said anything @ expecting a different IP address? I certainly didn't.

Once more: the topic is how and why Wamart's website is able to place a cookie on my computer when I am viewing it on a private page. THIS is the issue and THIS Is why I have posted. Any updates for this?? Is FF going to fix this issue? seems we are having to run updates almost weekly these days - at the very least how about making it worth the trouble?!

Thanks to all! Please fix this!!

UPDATE: ok apparently this isn't just Walmart who is able to place cookies on private pages only to have the *ALSO* show up in regular pages!!

I just checked then double checked using Target and then some lesser-known sites that I saw on my cookie list which I swore I had looked at earlier on private pages not regular ones.

Lo & behold cookies from major retailers are winding up in my data bin. ALL cookies are not - there are still some from smaller sites (less commercial??) that are not showing up maybe there's a billion $ minimum or something to get your cookie on a private page?

ALSO: I've come back to this forum to check responses etc, re-read the initial replies to see if I missed something THEN I noticed ALL the replies appear to have been checked "Problem Solved" yet I didn't do that? wtaf is that about? Especially this most recent response from jscher2000 who goes on about IP addresses in a random irrelevant discussion.

SO: The initial problem is not only STILL a problem but it's apparently WORSE than originally described. Will this be fixed or what? Do I need to start looking for another browser that actually does respect my privacy??

Could you double-check your Manage Data dialog:

(1) How many cookies from private windows are listed in the Cookies column? It should be zero.

(2) The total bytes listed in the Storage column adds together storage from regular sites (in the \default folder) and from private sites (in the \private folder, encrypted). They do not cross over, as explained in my first reply in this thread.