Third-party cookies are still widely used on today's Internet to track users across browsing sessions and sites they visit. While the reach of the tracking depends on the popularity of a service -- it needs to be implemented in as many sites as possible -- it is fair to say that if you allow third-party cookies to roam freely you will be tracked.

Firefox exposes only some of its cookie options in the browser options. You can block third-party cookies entirely or allow them only for sites you visited in the past.

There is also an option to clear all cookies on exit of the browser and to add exceptions to keep some around which is useful for cookies that track authentication sessions.

If you dig deeper into Firefox's options you may notice that the browser supports a bunch of cookie options that are not exposed to users in the UI.

One of these options cleans third-party cookies automatically on browser exit. The core difference to Firefox's options is that it won't touch first-party cookies set in the browser.

Attachment 10896

Here is how you configure the option:

  1. Load about:config in the Firefox address bar and hit the Enter-key to load the advanced configuration page in the browser.
  2. Confirm that you will be careful if the warning is displayed.
  3. Search for network.cookie.thirdparty.sessionOnly
  4. Double-click the preference.

The preference knows two states: true or false. The default state is false which means that Firefox won't handle third-party cookies any different than first-party cookies in the browser.

If you set the preference to true, however, Firefox will delete any third-party cookie set in the browser when you close it.

Deleting third-party cookies automatically limits tracking to browsing sessions. The option is much better than not allowing third-party cookies at all, as it may interfere with certain web services that require these cookies.

My suggestion is to allow third-party cookies only for visited sites and configure Firefox to delete them all when you close the browser. You may still add exceptions to that if you run into sites that require third-party cookies or don't work correctly for whatever reason.

You could also experiment with blocking third-party cookies entirely and see how that works out for you.

In case you are wondering, the primary cookie handling preference is network.cookie.cookieBehavior which you can set to 0: always, 1: only from originating server, 2: no cookies, 3: third-party cookies only from visited sites.

There is also network.cookie.lifetimePolicy which defines when cookies get deleted. Supported values are 0: supplied by server, 1: user is prompted, 2: expires with session, 3: lasts for specified number of days specified in network.cookie.lifetime.days.