Let's start with your bug report. You mentioned setting Firefox to "Never remember history" (Privacy Preferences). But then you said

My setting to Never Remember History had reverted to Use Custom Settings For History.

And in your other bug you wrote:

I opted for private browsing mode and to accept cookies with no exceptions including accepting from third parties and to keep until I close FF, although keeping until I close FF is dimmed

So, are you currently starting up automatically in private browsing mode? As far as I know, in private windows, the regular cookie file is not used and instead cookies are retained in memory for the duration of your session.

Regarding unsaved files, the SQLite database engine may use one or two temporary or working files that eventually need to get reconciled into the main file. The names are very similar:

• Write-Ahead Log: cookies.sqlite-wal
• Shared-Memory File: cookies.sqlite-shm

I don't know that there's any way to look inside these files.

In this question you wrote:

It bothers me that website X can read a cookie left by website Y and that opening an email can cause a cookie to be added to my computer.

Well, that would be very troubling, but Firefox should never return a cookie to a site other than the one that set it. Why do you believe that is happening?

As for opening an email, are you opening it in Firefox? Webmail is a web page, and there's really no distinction between emails and other kinds of pages.

If you leave tabs open when you close Firefox then the cookies used on these tabs are stored in sessionstore.js and restored when you reopen these tabs.

You can set browser.sessionstore.privacy_level to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore in the sessionstore.js file. The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.

• http://kb.mozillazine.org/browser.sessionstore.privacy_level

Note that "Use custom settings for history" is only meant to inspect the History settings and doesn't make any changes to specific history and cookie settings.

Firefox shows "Use custom settings for history" as an indication that at least one of the history and cookie settings is not the default to make you aware that changes were made. If all History settings are default then the custom settings are hidden and you see "Firefox will: (Never) Remember History". "Never Remember History" means that Private Browsing is active and "Always use private browsing mode" gets a checkmark. "Use custom settings for history" stays selected if at least one of the History or Cookie settings is not the default to make you aware that changes from the default setting have been made.

What I was finding was that I would start in private browsing mode and have no choice but to start in Use Custom Settings For History, because the alternatives automatically reverted to this choice. That was the case for a few recent versions including the one I have now. I have accepted all updates. I tested the newest version by trying to switch the menu to Remember History and to Never Remember History; in both cases, it forced a restart of FF and when it restarted it showed Use Custom Settings For History. Before switching, I looked at the cookies list and it was empty, but after the restart it opened Web pages I hadn't been to in days (I cold-reboot at least once a day) and found a list of cookies, including at least three session cookies from some prior session/s. Then, when I went to Use Custom Settings For History and private browsing mode, it showed cookies. That's disturbing. Private browsing mode had the Keep Until I Close Firefox and Clear History When Firefox Closes both dimmed. I couldn't make it automatically forget cookies after every quitting from FF. I couldn't make it Never Remember History.

Then I found something peculiar. I can make it either Remember History or Never Remember History provided I select the same command twice in a row. That's not intuitive, and I have to test it over time. What happens is that selecting one of those forces a restart to Use Custom Settings For History with private browsing mode either on or off according to what I had tried to select in (Never) Remember History. Then if I select the same (Never) Remember History menu item as in the last attempt, the choice stays. But only temporarily. If I quit FF and restart it, it shows Use Custom Settings For History and private browsing mode. It claims to have no cookies but I've caught it lying about that before (as stated above). This is buggy and I plan to report that.

I learned that one website apparently can read another site's cookies when my Yahoo email service displayed an ad for a book from Amazon, displaying it prominently five times consecutively (unlike most ads, which usually appear in rotation), just after I had visited Amazon and looked up that same book. I'm pretty sure I had closed the Amazon tab (and logged out of Amazon if I was even logged in) before I had logged into Yahoo. Also, while I usually don't understand a cookie's content, there's no reason one cookie issuer can't educate another site on how to read its cookies. Most cookies I see listed are not from sites I ever separately visited; rather, most came because I visited a site with another domain name. So, if site A can supply a cookie from site B, then presumably site A can read the cookie from site B (although site A correctly interpreting it would be up to site B's teaching how). An alternative mechanism, that Amazon keeps its own information about my possibly-not-logged-in computer's interest in a book and uses a channel other than me to tell Yahoo, and Yahoo then runs an ad under my Yahoo login, is a complicated stretch. Since I can read saved cookies' contents and third-party cookies are accepted, it's likely one website can read cookies from another site.

I do open emails in Firefox, not Thunderbird or another email client. I hadn't thought of emails as vectors for cookies, probably because when I send an email I'm never offered an option to send a cookie. I discovered the connection when I found a cookie from my cell phone service provider shortly after I opened an email from that same firm without having visited that firm's website since my last cold boot.

I want all cookies deleted when I close FF, and FF preserving them because I have tabs open when I quit FF is contrary to what its settings promise. When I decide to exit FF, I don't first close tabs; that extra step shouldn't be necessary, given the promise.

Browser.sessionstore.privacy_level is for session restoration after a crash and some other events but not for after a quitting. Some sites seem to require cookies to operate during a session, so I want cookies if the sites want them, albeit only until my session ends. If browser.startup.page is set to 0, 1, or 2, then <browser.sessionstore.privacy_level_deferred>, which determines FF's behavior after a quit, may be set to a value also allowed for <browser.sessionstore.privacy_level>, my preferred value being 2. So I set it that way, and I'll see what happens.

Thank you. I hope this works.

Firefox doesn't show Private Browsing mode cookies. You only see cookies for regular mode even if you are in PB mode and those regular mode cookies aren't used. This is a bit weird behavior and you can't see the actual cookies that Firefox uses in PB mode other then using the Web Console (Firefox menu button or Tools > Web Developer) with a "document.cookies" command for the current tab.

As posted above, Firefox always switches to "Use custom settings for history" when not all history/cookie settings aren't the default. When all settings are default then you see "Remember history" or "Never remember history". Choosing either "Remember history" or "Never remember history" should restore the default history settings and this should stay selected on a next start. Toggling "Always use Private Browsing mode" directly via "Use custom settings for history" only changes this setting. If you initialize prefs via a user.js file or otherwise then the outcome is uncertain.

Nick_Levinson said

I learned that one website apparently can read another site's cookies when my Yahoo email service displayed an ad for a book from Amazon, displaying it prominently five times consecutively (unlike most ads, which usually appear in rotation), just after I had visited Amazon and looked up that same book. I'm pretty sure I had closed the Amazon tab (and logged out of Amazon if I was even logged in) before I had logged into Yahoo. Also, while I usually don't understand a cookie's content, there's no reason one cookie issuer can't educate another site on how to read its cookies. Most cookies I see listed are not from sites I ever separately visited; rather, most came because I visited a site with another domain name. So, if site A can supply a cookie from site B, then presumably site A can read the cookie from site B (although site A correctly interpreting it would be up to site B's teaching how). An alternative mechanism, that Amazon keeps its own information about my possibly-not-logged-in computer's interest in a book and uses a channel other than me to tell Yahoo, and Yahoo then runs an ad under my Yahoo login, is a complicated stretch. Since I can read saved cookies' contents and third-party cookies are accepted, it's likely one website can read cookies from another site.

I can understand why it looks that way, because on the surface websites are seamless, but I promise that unless your Firefox is very broken, Amazon can't read your Yahoo cookies, and Yahoo can't read your Amazon cookies.

So how do sites follow you around the net trying to tempt you back to something you showed some level of interest in? Advertising networks have their own cookies. A website will earn money from advertisers by embedding a script from the advertiser's website. When Firefox requests the script, it sends the cookies previously set by the server hosting that script, in other words, the ad network. With that information, the ad network can link your new request to your previous requests on sites showing ads from the same network. Or if it's Amazon, to your actual behavior on their own site.

I don't have my own prefs or *.js file for FF, only what FF has on its own.

I found that amazon.com writes a cookie for yahoo.com. Also, the tab history is not deleted even though I clicked to delete all history. So, preprivacy tabs are remembered and reappear when Remember History is brought back, so the tabs come back unrequested and cookies are recreated, which means that in the interim when I think I've deleted everything and I'm in private browsing mode everything is still in my laptop and that risks websites reading it without my knowledge. I added a new experiment result to <https://bugzilla.mozilla.org/show_bug.cgi?id=1208693>.