Bug 86208 - Session cookies not always accepted
Summary: Session cookies not always accepted
Alias: None
Product: konqueror
Classification: Applications
Component: kcookiejar (show other bugs)
Version: unspecified
Platform: unspecified Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: Unassigned bugs mailing-list
Depends on:
Reported: 2004-07-29 10:58 UTC by Martin Thierer
Modified: 2007-09-06 00:10 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Only check m_autoAcceptSessionCookies before sending back cookies (918 bytes, patch)
2004-07-29 11:35 UTC, Martin Thierer
86208.diff (1.20 KB, text/x-diff)
2005-03-11 02:59 UTC, Dawit Alemayehu

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Thierer 2004-07-29 10:58:07 UTC
Version:           3.2.92 (using KDE 3.2.92 (3.3 beta2), compiled sources)
Compiler:          gcc version 2.95.3 20010315 (release)
OS:                Linux (i686) release 2.6.5

My configuration for cookie management normally is as follows:

Enable cookies [x]

1. Only accept cookies from originating server [x]
2. Automatically accept session cookies        [x]
3. Treat all cookies as session cookies        [ ]

4. Default policy: Reject all cookies

I would expect that setting (2) would override setting (4). However, it seems that setting (4) still has an influence:

I have this problem with www.esprit-club.com, but also had it with other sites in the past.

When I change setting (4) to "Ask for confirmation" , nothing is asked and I get 3 session cookies set. When I try to login with the above settings, only 1 cookie is set and the login fails.
Comment 1 Martin Thierer 2004-07-29 11:35:50 UTC
Created attachment 6904 [details]
Only check m_autoAcceptSessionCookies before sending back cookies

Works for me now
Comment 2 Martin Thierer 2004-07-29 11:36:45 UTC
I think I found the problem (see patch). It makes no sense to me that cookies are only sent back if both "Automatically accept session cookies" and "Treat all cookies as session cookies" are selected.

Anyway, that's strange. If I understand that correctly, it would mean that session cookies where accepted but never sent back?
Comment 3 Dawit Alemayehu 2004-07-31 00:44:57 UTC

The patch is incorrect. I think you misunderstood the options. Checking (1) and (2) does not affect your default as well as site specific policies at all. In other words based on your settings you above, all cookies will be rejected unless you have added a site specific "Accept" policy that overrides your default "Reject" setting.

The choice of a "Reject" default policy also prevents a cookie from being sent even if one was already in place before the change was made. Again this can be overridden by adding a site specific policy which always takes precedence over the default one. This particular behavior is a discussion of another report:

If on the other hand you check option (3), then the whole thing changes just as it is explained in the quick help. If you decide to treat all cookies as session cookies, then the cookiejar will ignore any policy be it default or site specific. That way you can simply accept all cookies without being prompted and simply close your browser of simply restart the cookiejar in order to clean out the accumulated cookies.

Dawit A.
Comment 4 Martin Thierer 2004-08-02 10:05:32 UTC
Hi Dawit,

I don't expect setting (2) to affect my site specific policies, but I _do_ expect that it effects the default.

What sense does it make otherwise? If I understand you correctly, setting (2) is practically ignored, if "Reject all cookies is selected"? Then it would be better to disable that option in this case. I guess the setting doesn't affect sites with a site-specific policy? If I enable cookies for a site by adding a site specific policy, I don't only get session cookies, but all cookies, right?

If you don't want to send back cookies set before "Reject" was selected, the right thing would be add add check for session cookies and only send them back.

If I don't select "Reject" but "Ask", cookies are sent back anyway, regardless if they they where set before selecting "Ask". This means, that it also can mean that cookies are sent back, for which the user never has been asked if he wants them too be stored, although that he perhaps expect he would.

My scenario is:

I normally don't what cookies set, that's why I select "Reject" all cookies. 

But I want to make an exception to session cookies, because they don't affect my privacy (at least not more than what is possible by other means anyway), so I select "Automatically accept session cookies".

If I want to allow a site to set permanent cookies I add a site specific policy.


Comment 5 Waldo Bastian 2004-11-29 17:01:24 UTC
Dawit wrote: "The choice of a "Reject" default policy also prevents a cookie from being sent even if one was already in place before the change was made."

I think that behavior should be replaced with a dialog that asks whether you want to delete pre-existing cookies (if there are any) when you select to reject either a domain or all cookies.
Comment 6 Dawit Alemayehu 2005-03-11 02:59:59 UTC
The following patch should fix BR # 86208. If we automatically accept session 
cookies, then we should allow them to be sent back to the server regradless 
of the current default global cookie policy...

Created an attachment (id=10065)
Comment 7 Thomas Friedrichsmeier 2005-06-19 16:29:47 UTC
Well there is a patch pending for this bug, and from a cursory look, it seems to address the issue of this report. However, just to add some confusion, let me state the impression, that this issue is only partly a true programming bug, but rather a result of the confusion of exactly how those options should be interpreted.
While I think the proposed interpretation to have "accept session cookies" override "reject all cookies" makes more sense than the current behavior, the current arrangement of options is quite simply ambiguous in this regard.
Maybe all those options should be re-arranged like shown below (and also for the site-specific policies). I admit, this may not be a particularly nice alternative, and may look a lot more complicated then the current state on first glance. However, I think in this solution it would at least be fairly obvious what behavior you can expect for which settings (suggested defaults marked with X):

__Cookie filtering__

[O] Treat all cookies as session cookies (disables row 3 below)

                                        Accept     Ask    Reject
1 Cookies sent to a different server     [O]       [O]      [X]
2 Session cookies                        [X]       [O]      [O]
3 Other cookies                          [O]       [X]      [O]
Comment 8 David Anderson 2006-03-24 11:08:45 UTC
I'm having what I think is the same problem.

I wish to automatically accept all session cookies, and be given an option on others.

However, when given the option, if on the others I click "reject all for this site", it also then rejects all the session cookies too. I cannot find a way to get Konqueror to do what I want.

I believe also that the UI could be made clearer as to what is done - it is not clear what overrides what.
Comment 9 David Anderson 2006-03-24 11:12:30 UTC
Possibly Konqueror should add a new per-site policy as well as "Allow", "Deny" and "Ask" - it should also have "Allow all session cookies". This option should be offered in the dialogue window if (and only if) the cookie being asked about is a session cookie.

At the moment you don't seem to be able to automatically accept all session cookies from a site and automatically decline all others. I think this suggestion would allow that in a way that is clear to the user.
Comment 10 Dawit Alemayehu 2007-09-06 00:10:28 UTC
SVN commit 708880 by adawit:

- Send back automatically accepted session cookies. It makes no sense to automatically accept session cookies
  if we are not going to automatically send them back regardless of the current global or per-site domain policy.
  Fixes a long standing bug report.

BUG: 86208

 M  +8 -11     kcookiejar.cpp  

--- branches/KDE/3.5/kdelibs/kioslave/http/kcookiejar/kcookiejar.cpp #708879:708880
@@ -369,19 +369,16 @@
        if (cookieList->getAdvice() != KCookieDunno)
           advice = cookieList->getAdvice();
-       // Do not send cookies for this domain if policy is set to reject
-       // and we are not setup to automatically accept all cookies as
-       // session cookies...
-       if (advice == KCookieReject &&
-           !(m_ignoreCookieExpirationDate && m_autoAcceptSessionCookies))
-       {
-          if (it == domains.end())
-             break; // Finished.
-          continue;
-       }
        for ( cookie=cookieList->first(); cookie != 0; cookie=cookieList->next() )
+          // If the we are setup to automatically accept all session cookies and to
+          // treat all cookies as session cookies or the current cookie is a session
+          // cookie, then send the cookie back regardless of either policy.
+          if (advice == KCookieReject &&
+              !(m_autoAcceptSessionCookies && 
+                (m_ignoreCookieExpirationDate || cookie->expireDate() == 0)))
+              continue;
           if (!cookie->match(fqdn, domains, path))