Firefox
Firefox Cookies
Overview
Firefox stores cookies in a dedicated cookies.sqlite database, separate from the places.sqlite history/bookmarks database. The moz_cookies table holds all cookie data including values, expiration times, security flags, SameSite policies, and Firefox-specific container tab context via the originAttributes field.
Cookies are forensically significant because they contain authentication tokens, session identifiers, tracking data, and user preference indicators. The combination of creation time, last access time, and expiry information establishes when a user interacted with a specific domain.
File Locations
| File | Path |
|---|---|
| Cookies database | ~/Library/Application Support/Firefox/Profiles/{profile}/cookies.sqlite |
| WAL journal | ~/Library/Application Support/Firefox/Profiles/{profile}/cookies.sqlite-wal |
| Shared memory | ~/Library/Application Support/Firefox/Profiles/{profile}/cookies.sqlite-shm |
Database Schema
moz_cookies
CREATE TABLE moz_cookies (
id INTEGER PRIMARY KEY,
originAttributes TEXT NOT NULL DEFAULT '',
name TEXT,
value TEXT,
host TEXT,
path TEXT,
expiry INTEGER, -- Unix timestamp (seconds)
lastAccessed INTEGER, -- PRTime (microseconds since Unix epoch)
creationTime INTEGER, -- PRTime (microseconds since Unix epoch)
isSecure INTEGER,
isHttpOnly INTEGER,
inBrowserElement INTEGER DEFAULT 0,
sameSite INTEGER DEFAULT 0,
rawSameSite INTEGER DEFAULT 0,
schemeMap INTEGER DEFAULT 0,
CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)
);
Key Fields for Analysis
| Field | Forensic Significance |
|---|---|
host | Domain that set the cookie (leading . indicates domain-wide scope) |
name | Cookie name (e.g., session_id, _ga, PHPSESSID) |
value | Cookie value -- may contain session tokens, user IDs, tracking identifiers |
path | URL path scope for the cookie |
expiry | Expiration time (0 = session cookie, deleted when browser closes) |
creationTime | When the cookie was first set |
lastAccessed | When the browser last sent or received the cookie |
isSecure | 1 = only sent over HTTPS |
isHttpOnly | 1 = inaccessible to JavaScript (mitigation against XSS) |
sameSite | Cross-site request policy |
originAttributes | Firefox container tab context |
SameSite Values
| Value | Name | Meaning |
|---|---|---|
| 0 | None | Cookie sent with all cross-site requests |
| 1 | Lax | Cookie sent with top-level navigations only |
| 2 | Strict | Cookie only sent in first-party context |
Origin Attributes
The originAttributes field is unique to Firefox and encodes container tab context. Examples:
| Value | Meaning |
|---|---|
| (empty string) | Default browsing context |
^userContextId=1 | Container tab 1 (e.g., "Personal") |
^userContextId=2 | Container tab 2 (e.g., "Work") |
^privateBrowsingId=1 | Private browsing (rare -- cookies are usually not persisted) |
Container tabs allow users to maintain separate cookie jars within the same profile. A user can be logged into different accounts on the same site in different containers. This has forensic implications: the same domain may have multiple sets of cookies with different originAttributes.
Timestamps
Firefox cookies use two different timestamp formats in the same table:
| Column | Format | Base |
|---|---|---|
creationTime | PRTime | Microseconds since 1970-01-01 UTC |
lastAccessed | PRTime | Microseconds since 1970-01-01 UTC |
expiry | Unix seconds | Seconds since 1970-01-01 UTC |
PRTime to datetime:
creationTime = 1706234567000000
Unix seconds = 1706234567000000 / 1000000 = 1706234567
Result = 2024-01-25T22:22:47Z
Expiry (already Unix seconds):
expiry = 1737770567
Result = 2025-01-25T22:22:47Z
An expiry of 0 indicates a session cookie that should be deleted when the browser closes. However, Firefox's session restore feature may keep session cookies alive across browser restarts.
Analysis Notes
Identifying Authentication Sessions
Look for well-known session cookie names:
SELECT host, name, creationTime, lastAccessed, expiry, isSecure, isHttpOnly
FROM moz_cookies
WHERE name IN ('session_id', 'PHPSESSID', 'JSESSIONID', 'connect.sid',
'_session_id', 'laravel_session', 'ASP.NET_SessionId',
'SACSID', 'ACSID')
ORDER BY lastAccessed DESC;
Tracking Cookie Analysis
Common tracking cookies:
SELECT host, name, creationTime, lastAccessed
FROM moz_cookies
WHERE name LIKE '_ga%'
OR name LIKE '_gid%'
OR name LIKE '_fbp%'
OR name LIKE '_gcl%'
OR host LIKE '%doubleclick%'
OR host LIKE '%facebook%'
ORDER BY lastAccessed DESC;
Container Tab Correlation
When originAttributes is non-empty, cookies belong to specific container tab contexts:
SELECT originAttributes, host, name, creationTime, lastAccessed
FROM moz_cookies
WHERE originAttributes != ''
ORDER BY originAttributes, host;
Cookie Value Redaction
The macfor collector redacts cookie values in parsed records, replacing them with [REDACTED - N bytes] to protect sensitive session tokens. The raw cookies.sqlite file is still collected and can be examined directly if needed.
Session Cookies and Browser Restart
Firefox's session restore feature means session cookies (expiry = 0) may persist across browser restarts if the user has "Restore previous session" enabled. The presence of session cookies with old creationTime values in a database from a recently started browser may indicate session restore was active.
Useful Queries
All cookies for a specific domain:
SELECT name, value, path, creationTime, lastAccessed, expiry,
isSecure, isHttpOnly, sameSite, originAttributes
FROM moz_cookies
WHERE host LIKE '%example.com%'
ORDER BY lastAccessed DESC;
Session cookies only:
SELECT host, name, creationTime, lastAccessed
FROM moz_cookies
WHERE expiry = 0
ORDER BY lastAccessed DESC;
Cookies by domain count (tracking fingerprint):
SELECT host, COUNT(*) as cookie_count
FROM moz_cookies
GROUP BY host
ORDER BY cookie_count DESC
LIMIT 50;
Version Differences
| Version | Change |
|---|---|
| Firefox 60+ | sameSite column added |
| Firefox 69+ | rawSameSite column added (original value before enforcement) |
| Firefox 79+ | schemeMap column added (tracks which schemes set the cookie) |
| Firefox 86+ | Total Cookie Protection (state partitioning) changes how third-party cookies are stored |
Firefox's Total Cookie Protection (enabled by default since Firefox 86) partitions third-party cookies by the first-party domain. This may result in the same third-party domain having multiple cookie entries with different originAttributes containing partition keys.
Tool Support
| Tool | Capability |
|---|---|
| macfor | Full cookie parsing with value redaction, SameSite interpretation, and container context (Pro module) |
| DB Browser for SQLite | Manual inspection of cookies.sqlite |
| AXIOM | Automated Firefox cookie extraction |
| plaso/log2timeline | Firefox cookie parser |
| EditThisCookie (browser extension) | Live cookie inspection (not forensic) |