Bug 54300 - new domain-specific cookie policy: treat as session cookie
Summary: new domain-specific cookie policy: treat as session cookie
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: kcookiejar (show other bugs)
Version: unspecified
Platform: RedHat Enterprise Linux Linux
: NOR wishlist
Target Milestone: ---
Assignee: Dawit Alemayehu
URL:
Keywords:
: 97036 155835 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-02-08 17:03 UTC by Gerd v. Egidy
Modified: 2012-10-01 20:59 UTC (History)
7 users (show)

See Also:
Latest Commit:
Version Fixed In: 4.10
Sentry Crash Report:


Attachments
kdelibs-cookie-policy.patch (10.62 KB, patch)
2009-02-06 19:17 UTC, Gregorio Guidi
Details
kdebase-cookie-policy.patch (11.16 KB, patch)
2009-02-06 19:23 UTC, Gregorio Guidi
Details
cookie-policy-snapshot.png (261.10 KB, image/png)
2009-02-06 19:27 UTC, Gregorio Guidi
Details
kdelibs-cookie-policy.patch (11.79 KB, patch)
2009-03-31 21:30 UTC, Gregorio Guidi
Details
kdebase-cookie-policy.patch (10.51 KB, patch)
2009-03-31 21:32 UTC, Gregorio Guidi
Details
kdelibs_Add-accept-for-session-as-a-new-policy-for-cookies.patch (13.98 KB, patch)
2011-02-13 15:35 UTC, Gregorio Guidi
Details
kde-baseapps_Adapt-cookie-configuration-dialog-to-new-policy.patch (11.68 KB, patch)
2011-02-13 15:36 UTC, Gregorio Guidi
Details
Add "accept for session" as a new policy for cookies (23.47 KB, patch)
2011-10-17 19:48 UTC, Gregorio Guidi
Details
Adapt cookie configuration dialog to new policy "accept for session" (13.82 KB, patch)
2011-10-17 19:50 UTC, Gregorio Guidi
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gerd v. Egidy 2003-02-08 17:03:23 UTC
Version:            (using KDE KDE 3.1)
Installed from:    RedHat RPMs
OS:          Linux

I want to be able to accept cookies from some known "good" sites (so I do not want to set "Treat all cookies as session cookies"). 
But there are some "evil" sites that require cookies to be accepted but I don't want to be recognized from them. So I want to be able to add the domain-specific policy "Treat as session cookies" for those sites.
Comment 1 Bsuss Ca 2004-03-20 03:30:47 UTC
Just wanted to add my support for this bug.  In principle I'd like to reject all cookies except for a few.  And those few I usually want to expire after the session.  Perhaps it would be more logical to not let the "Treat all cookies as session cookies" option disable the "Site Policy".  A way of dealing with this would be to add an 'expire' option to each  "Site Policy".  Let the user choose between "Expire after n-days" or "Expire after session".
Comment 2 Eric Strong 2004-12-19 18:29:42 UTC
*** This bug has been confirmed by popular vote. ***
Comment 3 Kevin Puetz 2005-09-12 02:28:17 UTC
*** Bug 97036 has been marked as a duplicate of this bug. ***
Comment 4 Alex Hermann 2006-02-08 12:00:39 UTC
With the current google+gmail mess using the same cookies to connect search info to emails, this wishlist item becomes more needed/wanted. Is there any progress/incentive on implementing this?
Comment 5 Kevin F. Quinn 2006-09-17 14:53:10 UTC
This is the one feature that I return to Mozilla for - co-ercing cookies into session cookies on a per-site basis.  It's useful when navigating to sites that just don't work without cookies, yet which have no business keeping track of what I do for all time.  Obviously the workaround is to clear out cookies manually on a regular basis.
Comment 6 unggnu 2006-10-09 20:02:03 UTC
I think that this feature would be very usefull.
According to this request a wonderfull feature would be a little icon in status bar like the adblock one which is shown everytime a site wants to or saves a cookie. If you click on this icon you can choose to accept, reject, session or ask which is saved in settings.
Comment 7 Stephan Sokolow 2007-04-02 09:44:08 UTC
Regarding the interface, why not replace the current "Policy" tab's global settings with the following?

Only accept cookies from originating server: Checked/Unchecked
Long-duration cookies: Ask/Accept/Reject/Convert to Session Cookies
Session cookies: Ask/Accept/Reject

If you then copied that in the per-site policy "New.../Change..." dialog and added a "Use Global Settings" option, you'd have all the flexibility we love in Firefox's pre-extension setup. (With extensions, you get fun stuff like CustomizeGoogle's ability to make it more difficult for Google to track things)
Comment 8 Martin Rehn 2008-07-21 22:02:14 UTC
I think Stephan got it right in #7. At least it would cover my needs. Personally, I would set:

Only accept cookies from originating server: Checked 
Long-duration cookies: Convert to Session Cookies 
Session cookies: Accept
 
Then, in the per-site policy, I'd have a list of trusted sites (such as bugs.kde.org) that are allowed to store long-duration cookies. And a blacklist of sites that are not allowed to store any cookies at all.

(My apologies if you don't care how I would configure my system: the point is that Stephan's suggestion seems workable.)
Comment 9 Gregorio Guidi 2009-02-06 19:17:38 UTC
Created attachment 31049 [details]
kdelibs-cookie-policy.patch

I think that it would be very convenient to set the "Treat as Session Cookie" policy for specific sites, or to set it as default with exceptions for specific sites. So I propose a patch to do that.

Main points of the patch (here for kdelibs, I will attach the kdebase part later):
- Currently the policy types are "Ask, Accept, Reject". With the patch a new policy "AcceptForSession" (treat as session cookie) is added.
- Currently the policy acts on two levels: there's the domain specific policy, and if that's unset there's the global policy. With the patch the policy acts on three levels: first on a single cookie level, then domain, then global. However the policy set for the single cookies is only meaningful for storing the AcceptForSession value, and is not saved on disk.
- The patch removes the "Treat as session cookies" global option, as it is not needed anymore. It also removes the "Auto accept session cookies" option. The latter is debatable, since one can think of a scenario where it could still be useful (accepting session cookies _but_ not accepting persistent cookies, not even for the session only), but this doesn't fit cleanly so I opted to remove it.

Hope this helps.
Comment 10 Gregorio Guidi 2009-02-06 19:23:34 UTC
Created attachment 31050 [details]
kdebase-cookie-policy.patch

kdebase part of the patch.

Note: here I removed the use of KUrl::fromAce and KUrl::toAce functions (encoding and decoding of domain names). This was needed for a different problem: when the settings module uses those functions to read the configuration file and to write it back, it modifies the domain names by removing the leading dot. So, messing with the settings module will cause problems and testing the patch would be impossible. I will see how to deal with that separately.
Comment 11 Gregorio Guidi 2009-02-06 19:27:42 UTC
Created attachment 31051 [details]
cookie-policy-snapshot.png

Snapshot to get a quick look at the effect of the patch.
Admittedly the "Do you want to accept..." dialog is really ugly... :/
Comment 12 Gerd v. Egidy 2009-02-09 09:18:22 UTC
Hi Gregorio,

thank you for coding this up! I look forward to try it, I hope I'll find some time this week to set up the compile-environment.

Kind regards,

Gerd
Comment 13 Gregorio Guidi 2009-03-31 21:30:44 UTC
Created attachment 32505 [details]
kdelibs-cookie-policy.patch

Slightly updated patch against current svn.
Added comment, whatstis, set a button icon for the dialog, removed the fromAce/toAce part (see bug 183720).

kdelibs part of the patch, against r947557.
Comment 14 Gregorio Guidi 2009-03-31 21:32:05 UTC
Created attachment 32506 [details]
kdebase-cookie-policy.patch

kdebase part of the patch, against r947557.
Comment 15 Dawit Alemayehu 2010-09-19 07:23:43 UTC
*** Bug 155835 has been marked as a duplicate of this bug. ***
Comment 16 Gregorio Guidi 2011-02-13 15:35:41 UTC
Created attachment 57213 [details]
kdelibs_Add-accept-for-session-as-a-new-policy-for-cookies.patch

For the record, here are the patches regenerated to apply cleanly in 4.6.0, in 'git format-patch' format.

This is the patch for the kdelibs repository.
Comment 17 Gregorio Guidi 2011-02-13 15:36:58 UTC
Created attachment 57214 [details]
kde-baseapps_Adapt-cookie-configuration-dialog-to-new-policy.patch

Patch for the kde-baseapps repository.
Comment 18 Dawit Alemayehu 2011-05-04 04:31:22 UTC
Gregorio,

First thanks for providing a patch. It is rare that people provide their own patch for feature they want to have.;) Second, I had plans to commit a modified version of your patch to KDE 4.6 (see the feature plans page for KDE 4.6), but I did not have the time to do it. Unfortunately I doubt I will have the time to do it for KDE 4.7 either since there is way too much on my plate. However, I will try my best to get it in for KDE 4.8.

In the mean time, there is one thing I do not like with your patch:

You removed the ability to automatically accept session cookies. That is wrong. For example, I should be able to choose "Ask for confirmation" and still have the ability to automatically accept "session cookies". Changing the check box that treats all cookies as session cookies to a selectable option that does the same on per cookie basis should not deprive the other use cases of this functionality. If you believe otherwise, please explain why that should not be the case.

I guess you removed it because it conflicted with the new option when you should have simply ignored it when the new option is selected. You can even disable the checkbox associated with it when the user selects the new option in the config dialog box.

The other issue is the missing test cases. All those unit tests in kdelibs/kioslave/http/kcookiejar/tests have to be modified to reflect these changes. Anyhow, this should not be that much of a big deal to go through. The above issue however is important.
Comment 19 Gregorio Guidi 2011-05-10 23:17:14 UTC
Hi Dawit, thanks for your reply, it's really appreciated to get feedback after so much time. :)
About the option to automatically accept session cookies, at the time I wrote the patch I thought a bit about possible use cases for keeping it, but didn't came up with anything really compelling and eventually left it out (there was some reasoning about it somewhere in comment #9). Actually, the problem was that it didn't fit nicely. I set the goal to have the same set of policies available both globally and per-site for cleanliness, and that was an exception as it was only global.

But I agree that in fact there are possible use cases and it should be reintroduced. As you are planning to reimplement the feature, maybe you have some ideas on the best way to readd the option to accept session cookies? As a global checkbox above the policy panels as it is now, or maybe something different, even splitting the "default policy" panel into one policy for session cookies and one for persistent cookies?

Anyway, if you give an indication on what you are planning and you are not already working on the code, I can give it a try.

Thanks again!
Comment 20 Gregorio Guidi 2011-10-17 19:48:47 UTC
Created attachment 64647 [details]
Add "accept for session" as a new policy for cookies

I took some time to update and refine the patch for this feature. It would be very nice if this was considered for the current development cycle, either 4.8 or whatever the next version will be (this touches both kdelibs and kde-baseapps/konqueror).

I summarize here the main points of the patch:
- Currently the policy types are "Ask, Accept, Reject". With the patch a new
policy "AcceptForSession" (treat as session cookie) is added, with matching chages to the kcookiejar server (kdelibs) and to the configuration dialog (kde-baseapps/konqueror).
- The option "Treat as session cookies" is removed.

With respect to the previous version of the patch:
- The option "Auto accept session cookies" is retained and works as intended.
- I added specific test code to check for end-of-session situations, and added appropriate test cases for the patch functionalities.
- I reorganized the code a bit for consistency: before, the function cookieAdvice() was called only once before putting the cookies in the jar, then cookies inside the jar were treated in no uniform way (all cookies were Accepted once in the jar, there was no distinction between cookies treated as session-cookies and persistent cookies). Now, cookieAdvice() is used throughout the code to provide uniform treatment of the cookies in the jar based on configured policy: to decide whether to delete them at the end of the session, to send them back to a server, to save them on disk.

This is the kdelibs part of the patch. The kde-baseapps part will follow.
Comment 21 Gregorio Guidi 2011-10-17 19:50:25 UTC
Created attachment 64648 [details]
Adapt cookie configuration dialog to new policy "accept for session"

kde-baseapps part of the patch.
Comment 22 Gregorio Guidi 2011-10-17 19:59:24 UTC
By the way, while testing the patch I stumbled on a couple of small bugs in
current git which I reported as bug 284297 and bug 284299 (with patches). Maybe
Dawit could take a look at them as they relate to the work he is doing in
konqueror.
Comment 23 Dawit Alemayehu 2011-10-18 05:17:09 UTC
(In reply to comment #20)
> Created an attachment (id=64647) [details]
> Add "accept for session" as a new policy for cookies
> 
> I took some time to update and refine the patch for this feature. It would be
> very nice if this was considered for the current development cycle, either 4.8
> or whatever the next version will be (this touches both kdelibs and
> kde-baseapps/konqueror).
> 
> I summarize here the main points of the patch:
> - Currently the policy types are "Ask, Accept, Reject". With the patch a new
> policy "AcceptForSession" (treat as session cookie) is added, with matching
> chages to the kcookiejar server (kdelibs) and to the configuration dialog
> (kde-baseapps/konqueror).
> - The option "Treat as session cookies" is removed.
> 
> With respect to the previous version of the patch:
> - The option "Auto accept session cookies" is retained and works as intended.
> - I added specific test code to check for end-of-session situations, and added
> appropriate test cases for the patch functionalities.
> - I reorganized the code a bit for consistency: before, the function
> cookieAdvice() was called only once before putting the cookies in the jar, then
> cookies inside the jar were treated in no uniform way (all cookies were
> Accepted once in the jar, there was no distinction between cookies treated as
> session-cookies and persistent cookies). Now, cookieAdvice() is used throughout
> the code to provide uniform treatment of the cookies in the jar based on
> configured policy: to decide whether to delete them at the end of the session,
> to send them back to a server, to save them on disk.
> 
> This is the kdelibs part of the patch. The kde-baseapps part will follow.

Thanks for your great work Gregorio! You have even added a unit test for testing your changes! Very nice. Makes our job that much easier. :) 

I am going to make sure this gets merged into whatever is going to become KDE 4.8 release as soon as I finish testing it on my system. I also have to first find out which branch will be used as a basis for KDE 4.8. It is probably going to be the frameworks branch, but I have to find that out too.
Comment 24 Dawit Alemayehu 2011-10-18 05:17:09 UTC
(In reply to comment #20)
> Created an attachment (id=64647) [details]
> Add "accept for session" as a new policy for cookies
> 
> I took some time to update and refine the patch for this feature. It would be
> very nice if this was considered for the current development cycle, either 4.8
> or whatever the next version will be (this touches both kdelibs and
> kde-baseapps/konqueror).
> 
> I summarize here the main points of the patch:
> - Currently the policy types are "Ask, Accept, Reject". With the patch a new
> policy "AcceptForSession" (treat as session cookie) is added, with matching
> chages to the kcookiejar server (kdelibs) and to the configuration dialog
> (kde-baseapps/konqueror).
> - The option "Treat as session cookies" is removed.
> 
> With respect to the previous version of the patch:
> - The option "Auto accept session cookies" is retained and works as intended.
> - I added specific test code to check for end-of-session situations, and added
> appropriate test cases for the patch functionalities.
> - I reorganized the code a bit for consistency: before, the function
> cookieAdvice() was called only once before putting the cookies in the jar, then
> cookies inside the jar were treated in no uniform way (all cookies were
> Accepted once in the jar, there was no distinction between cookies treated as
> session-cookies and persistent cookies). Now, cookieAdvice() is used throughout
> the code to provide uniform treatment of the cookies in the jar based on
> configured policy: to decide whether to delete them at the end of the session,
> to send them back to a server, to save them on disk.
> 
> This is the kdelibs part of the patch. The kde-baseapps part will follow.

Thanks for your great work Gregorio! You have even added a unit test for testing your changes! Very nice. Makes our job that much easier. :) 

I am going to make sure this gets merged into whatever is going to become KDE 4.8 release as soon as I finish testing it on my system. I also have to first find out which branch will be used as a basis for KDE 4.8. It is probably going to be the frameworks branch, but I have to find that out too.
Comment 25 Dawit Alemayehu 2012-09-30 17:09:47 UTC
Git commit ef269fdee33113354776693089c26f73093658a5 by Dawit Alemayehu.
Committed on 24/09/2012 at 08:31.
Pushed by adawit into branch 'KDE/4.10'.

Changed the global "Treat all cookies as session cookies" option to a per
domain/cookie policy setting called "AcceptForSession".

As the name implies the policy allows a user to accept a given cookie that would
automatically expire it at the end of the current session regardless of the
cookies' expiration date.

The patch has a corresponding patch that takes care of the cookie configuration
module and was provided by Regorio Guidi.

CCMAIL:gregorio.guidi@gmail.com
REVIEW:106618

M  +1    -0    kioslave/http/kcookiejar/CMakeLists.txt
M  +49   -37   kioslave/http/kcookiejar/kcookiejar.cpp
M  +26   -11   kioslave/http/kcookiejar/kcookiejar.h
A  +11   -0    kioslave/http/kcookiejar/kcookiescfg.pl
M  +6    -0    kioslave/http/kcookiejar/kcookiescfg.upd
M  +6    -0    kioslave/http/kcookiejar/kcookieserver.cpp
M  +89   -48   kioslave/http/kcookiejar/kcookiewin.cpp
M  +5    -3    kioslave/http/kcookiejar/kcookiewin.h
A  +51   -0    kioslave/http/kcookiejar/tests/cookie_session.test
M  +3    -7    kioslave/http/kcookiejar/tests/cookie_settings.test
M  +11   -2    kioslave/http/kcookiejar/tests/kcookiejartest.cpp

http://commits.kde.org/kdelibs/ef269fdee33113354776693089c26f73093658a5
Comment 26 Dawit Alemayehu 2012-09-30 17:22:01 UTC
Git commit 930e19b9a7244b45b9fc830b34a09fdc1b2fb3c8 by Dawit Alemayehu.
Committed on 24/09/2012 at 08:59.
Pushed by adawit into branch 'master'.

Added configuration option for accepting cookies until end of session per
globally (default) or per domain. This is the configuration part of the change
that was made to the cookiejar with the following commit:

http://commits.kde.org/kdelibs/ef269fdee33113354776693089c26f73093658a5
FIXED-IN:4.10
REVIEW:106619

M  +31   -59   konqueror/settings/kio/kcookiespolicies.cpp
M  +2    -4    konqueror/settings/kio/kcookiespolicies.h
M  +192  -201  konqueror/settings/kio/kcookiespolicies.ui
M  +12   -6    konqueror/settings/kio/kcookiespolicyselectiondlg.h
M  +7    -0    konqueror/settings/kio/kcookiespolicyselectiondlg.ui

http://commits.kde.org/kde-baseapps/930e19b9a7244b45b9fc830b34a09fdc1b2fb3c8
Comment 27 Gregorio Guidi 2012-10-01 20:59:19 UTC
After all this time, I see you did not forget about this patch. I really appreciate your dedication and skills, seeing also all the other work you do for konqueror. Thanks Dawit!