Page MenuHomePhabricator
Create Task
Maniphest T101892

Ensure {text-domain}/w/load.php requests do not bypass cache for session cookies
Closed, ResolvedPublic
Actions

Description

With recent efforts to further the demise of bits.wikimedia.org (per T94896), we should double-check that we uphold as much of the performant aspects of bits.wikimedia.org as possible.

Mainly:

  1. Cookies must not cause users to bypass caching proxies. (E.g. on regular page views for text servers, logged-in users with session cookies bypass varnish).
  2. Cookies are not sent alongside each request.

Point #2 is almost certainly not possible. But #1 is. We should make sure that logged-in users still benefit varnish caching on /w/load.php like before.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Exclude /w/load.php and /static/ from session/token no-cache stuffoperations/puppetproduction+7 -2
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Jun 9 2015, 8:39 PM
Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added projects: Performance Issue, MediaWiki-ResourceLoader, acl*sre-team, Varnish.
Krinkle added subscribers: Krinkle, aaron, ori.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2015, 8:39 PM
Krinkle removed a project: MediaWiki-ResourceLoader.Jun 9 2015, 8:39 PM
Krinkle set Security to None.
Krinkle moved this task from Tag to Next-up on the Performance Issue board.Jun 9 2015, 8:47 PM
Krinkle triaged this task as High priority.Jun 10 2015, 10:27 PM
Krinkle renamed this task from Ensure cache responses for requests by logged-in users to {text-domain}/w/load.php to Ensure {text-domain}/w/load.php requests do not bypass cache for session cookies.Jun 11 2015, 7:36 PM
BBlack subscribed.Jun 11 2015, 7:55 PM

+1 that this is currently an issue I think, and we should address it with some VCL changes...

BBlack added a project: Traffic.Jun 18 2015, 12:00 AM
Krinkle edited projects, added Performance-Team; removed Performance Issue.Jun 18 2015, 12:05 AM
Krinkle moved this task from Inbox, needs triage to To-do: Goals prioritized current Quarter on the Performance-Team board.
BBlack added a comment.Jun 18 2015, 12:17 AM
  1. In static-hash.inc.vcl.erb, we exclude the hostname from hashes on ^/(w/)?static, because we expect static URLs to be invariant across wikis - this makes me wonder if we should be host-invariant on load.php as well?
  2. We should probably exclude both static and /w/load.php from the session/token cookie cache-suppression stuff.
Krinkle added a comment.Jun 18 2015, 12:27 AM
In T101892#1376688, @BBlack wrote:
  1. In static-hash.inc.vcl.erb, we exclude the hostname from hashes on ^/(w/)?static [..] this makes me wonder if we should be host-invariant on load.php as well?

Must certainly not. Each wiki has its own module configuration. Different gadgets, extensions, skins, default skin, default language. Also users have different user preferences, and different pages that generate content composed as part of those modules. The message cache is also per-wiki (not to confuse with the localisation cache behind that which doesn't contain local-wiki message overrides).

Ignoring the user content and per-wiki message changes, the module scripts and styles from core would be the same. However even that isn't entirely true since even if the module content is the same, the startup module shouldn't be polluted with extensions from other wikis (the same way that extensions not installed on a wiki are not included at run time server-side and thus not available in the autoloader).

They also need to vary by wmf-branch / mediawiki version, but that could be worked around.

BBlack added a comment.Jun 18 2015, 12:28 AM

ok fair enough :)

gerritbot subscribed.Jun 18 2015, 12:43 AM

Change 219108 had a related patch set uploaded (by BBlack):
Exclude /w/load.php and /static/ from session/token no-cache stuff

https://gerrit.wikimedia.org/r/219108

gerritbot added a project: Patch-For-Review.Jun 18 2015, 12:43 AM
gerritbot added a comment.Jun 18 2015, 1:06 AM

Change 219108 merged by BBlack:
Exclude /w/load.php and /static/ from session/token no-cache stuff

https://gerrit.wikimedia.org/r/219108

BBlack mentioned this in rOPUPee6e8c17a305: Exclude /w/load.php and /static/ from session/token no-cache stuff.Jun 18 2015, 1:07 AM
Krinkle mentioned this in T44094: Startup manifest for logged-in users are minified and cause rapid objectcache growth.Jun 23 2015, 5:03 AM
Krinkle closed this task as Resolved.Jun 23 2015, 5:23 AM
Krinkle claimed this task.
Krinkle moved this task from To-do: Goals prioritized current Quarter to Doing (old) on the Performance-Team board.
BBlack moved this task from Backlog to Done on the Traffic board.Jun 28 2015, 7:38 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJun 28 2015, 7:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits