Balancing Security and Functionality in Firefox

cookie-exceptions

Since my last login, something changed, regarding how Suntrust was using session cookies, because suddenly I could no longer pay bills or transfer money using Mozilla Firefox on my laptop. I was receiving the error message, “We’re sorry. We could not set cookies or find a session for you.” Yet, I was still logged into the financial website, and could do other things like review transaction history. What could be wrong?

Well, first you need to realize that I had my Firefox settings locked down. Specifically, I was clearing “Site Preferences” and “Cookies” on browser closure. Plus, I was not accepting third-party cookies. And all there of these settings were involved in my banking functionality problem. My first iteration was to simply enable third-party cookies. This did allow the banking functionality to work, but I ended up with a list of cookies that included Facebook.com — do I really need that cookie to complete a financial transaction?

After a lot of trial and error, I finally came up with a solution that affords me some control and yet allows for banking to work. I am documenting it here so others can take advantage of my efforts. Note that each financial institution will require a different list of allowed exceptions. And, also note that Suntrust might change, and require a different list of allowed exceptions in the future (they don’t normally notify me when they update their plugins : >).

Here are the steps:

  1. Open Mozilla firefox and validate you have upgraded to the latest version:
    • Firefox menu | About Firefox menu item
    • If a newer version is available, then click the “Restart Firefox to Update” button.
  2. Change your privacy preferences:
    • Firefox menu | Preferences menu item
    • Click Privacy on your left
    • Select “Use Custom Settings for History”
    • Check “Accept Cookies from Sites”
    • Select “Accept Third Party Cookies”: From visited
    • Select “Keep Until”: They expire
    • Select “Clear History When Firefox Closes”
  3. Enable the ability to save cookie exceptions:
    • Click the Settings button
    • Everything can be selected (to be cleared) except “Site Preferences” and “Cookies”
    • Press the OK button to save your changes
  4. Enable the needed cookie exceptions:
    • Click the Exceptions button
    • Add your website exceptions
    • Click the “Save Changes” button
  5. Optionally, clear current cookies (note: you will lose saved website preferences):
    • Click the “Show Cookies” button
    • Click the “Remove All” button

You will notice that the above instructions ask you to not clear “Site Preferences”. This is because if you clear these, the exception you add in step (4) will disappear every time you close Firefox. The exceptions that worked for me are in the screen shot, notice that you must enter https:// in front of each website, otherwise you will end up with the http:// exception which you don’t particularly want. Banking and other financial websites should be forced into using SSL via ever means possible!

Looking at my list of exceptions, you might wonder what *.cashedge.com does… turns out this enables the PopMoney feature which many banks are implementing to allow small transactions between friends and family accounts.