Created attachment 22734 [details] [review]
proposed fix

Could you explain the reason of having a limited lifetime ?
Does the lifetime "countdown" start on the last time the cookie is 
accessed or the time it's created ?

Without lifetime limit, the cookie expires when the site has said to,
and many sites have unacceptable values there, like 2038 [i.e. the
absolute maximum unix time]. Therefore, when you visit some site which
sets a cookie, it lives forever, long after you've last accessed the
site (you may even have been there only once), and long after all
other traces of you having been there, like the history entries, have
expired.

The "countdown" starts when the cookie is set or modified; since most
sites update the cookie when you visit them again, the "countdown"
starts anew then.

Sounds good to me.

what's up with this ?

You ok'd to commit it, but spark raised an objection: what about sites
which don't update their login cookies (which would lead to you having
to re-login). [Don't know if those sites exist :)]

I think we should try this early on after we branch for 1.2 so we can
see if it causes any problems.

Couple things:
* please don't put this in as is; the default can't be 'eat my data
after a month' or you'll get a lot of 'I entered my password at this
site, and for some reason it isn't remembered when I go back.' Make it
an option, sure, but have it default to false.
* I'd suggest making this something like 'eat all personal data after
30 unused days' or something like that- tie together cookies,
passwords, history, etc. Just a thought.

The password is remembered in the password manager; if the web site
sets a cookie this just makes the next login a bit faster.

We already delete history info after 10 days, so I don't see why other
personal data like cookies shouldn't be forgotten after a certain
time, too.

I'm not particularly sure that deleting the history after ten days is
sane either. It certainly bugs me when I'm trying to look for older
sites. IMNSHO, one should never delete user data by default. Like I
said, I think tying them into one preference ('delete personal data
after X days') with a default to keep forever is the right one. 

Luis, never deleting history would cause serious performances 
issues, loading pages, using history dialog and using completion.
I dont think we have the same problem with cookies though.

My opinion on the cookie lifetime is that it's not worth risking to
introduce problems. What we really gain by expiring these cookies ?
They are not visible to most users anyway ...

Mass reassigning of Epiphany bugs to epiphany-maint@b.g.o

an option to forget cookies after the session would be nice. session means
deleting all cookies, after the last epiphany window is closed.
this is in my opinion the best compromise between trouble-free visiting website
and privacy. 

Of course this shouldnt be an default option.

I am an administrator for an internet cafe and we dont use epiphany, besause it
isnt possible to save cookies just temporally.

Modifying summary to reflect refocus of this bug.

This feature would be really handy from a privacy standpoint. Firefox already
has this feature, why not epiphany? I hope this is implemented soon.

Target: 1.8 -> 1.10 due to feature and UI freeze.

I want ask what the status of this cookie problem is. I think this should have a higher priority and isn't "just" an enhancement. Privacy issues are really important and when I check from time to time my saved cookies I am shocked which garbage their is.

I would be really happy, if this could be realized in the next version (2.16). If this feature would be avaible, epiphany would be perfect for me. I like this browser really.

Mass changing target 2.16 -> 2.18

Is there any progress on this? The last comment is from a year ago and this ticket is *very* important from a privacy standpoint. Since epiphany can be built against Firefox, isn't there a way to access the Firefox backend for this feature and build off that?

Ah, it turns out there's a setting for this:  http://kb.mozillazine.org/Network.cookie.lifetimePolicy

Just set it to '2' in about:config to have all cookies be session cookies.

So, all that's really needed is a simple GUI to change the value of the setting.

+1 for this feature from me. Cookies can be dangerous. A browser should not force a user to keep cookies longer than really required.

The workaround mentioned in comment #21 is only valid for the gecko backend, which is bad. If WebKit is going to be used more in the future, this is one of the most critical features IMHO.

Bug #145755 is a dupe of this btw.

*** Bug 145755 has been marked as a duplicate of this bug. ***

Fixed by the Incognito Mode?
Or still a wanted option to the Normal Mode?

Yup, this is what Incognito Mode is for. Well, you could make a case for wanting to save history but not cookies... I don't think we really need that level of configurability, so I will close this bug, but if someone wants to submit a patch, I think that'd be fine.