For the past few weeks, it looks as though Safari on OS X 10.6.8 has not been handling website cookies correctly, as a Naked Security reader from Toronto pointed out recently.
This issue has also popped up on Apple’s own Support Communities forum.
On OS X 10.6.7, setting the Safari 5.05 (build 6533.21.1) option Accept cookies: Never would do just that. Cookies would neither be stored nor transmitted by the browser.
Upgrade to OS X 10.6.8, however, and even though the Safari version and build number remain the same, the browser’s behaviour does not. Some, but not all, cookies, are stored and transmitted by the browser, even when you’ve insisted that Safari allow no cookies at all.
There’s no obvious rhyme or reason to the cookies which sneak through when they aren’t supposed to – in my tests (I visited apple.com/startpage, sophos.com and bing.com) a mixture of session, short-term and long-life cookies appeared in the mix.
In Safari 5.1, Apple’s terminology does an about-face, so that you need to Block cookies: always – a command which somehow sounds even stronger than never allowing them – but the bug persists, at least on OS X 10.6.8.
(Note that the Privacy tab of the Preferences pane no longer shows you the actual cookies which are set, as it did in Safari 5.0.5. To view cookies in 5.1 you need to use Develop|Show Web Inspector|Resources|Cookies.)
Interestingly, this bug does not seem to appear on OS X 10.7, better known as Lion. Apple seems to have fixed the underlying fault, since Block cookies: always works as you would expect.
Nevertheless, this is cold comfort to those of us who can’t, or won’t, spend the $30 needed to upgrade to Lion. (As I mentioned before, I’m waiting until I can purchase an official, bootable, installable distribution of Lion before I’ll go near it.)
You need to be able to rely on your browser to do the right thing with cookies. Wrongly managed, they represent a potentially significant privacy risk, since cookies are used for a variety of tasks from post-login session authentication to long-term user identification.
So, if you’re a 10.6.8 user, why not report this bug to Apple? I did. It’s easy: just visit Apple’s official OS X Feedback page.Follow @duckblog