Problem

When accessing a Confluence instance over HTTP (and not HTTPS), users cannot log in using Firefox. The reason for this is that we mark the cookies as Secure, yet the site is not secure.

Cause

Firefox has recently decided to deprecate non-secure HTTP as a protocol. In Firefox 52, they implemented the “Strict Secure Cookies” specification:

That effort prevents HTTP-only sites from delivering cookies with the “secure”attribute. That attribute denotes the cookie should only be transported over encrypted link, but it is still possible to access such cookies over HTTP under some circumstances. Adopting the new spec will mean cookies marked “secure” can only be touched by HTTPS servers.

Our cookies are marked as '"secure", and as such can only be used over HTTPS. This means that Firefox is not passing required cookies to the server, which means that login fails.

Workaround

Use a different browser, eg Chrome or Internet Explorer.

Resolution

Implement SSL to secure your Confluence instance. See Running Confluence Over SSL or HTTPS for more information.