Page MenuHomePhabricator
Create Task
Maniphest T142542

LoggedOut cookie not set anymore
Closed, ResolvedPublic
Actions

Description

In my testing, LoggedOut is not set anymore. I'm not sure if this is intentional. My understanding is that this is supposed to be used to bypass pages that were cached by the browser when you were logged in.

Impact

(Unconfirmed). I suspect that now, when you view article X, and are logged in, and then log out, and view the same pages you have viewed before, it will appear as if you are logged in, because the browser is getting a "304 Not Modified" response from the server allowing the b browser to use its cache. This would be incorrect, potentially confusing, and might seem insecure to users.

See also:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Remove LoggedOut cookie handlingoperations/puppetproduction+0 -6
Remove LoggedOut cookie logicoperations/mediawiki-configmaster+1 -1
Remove LoggedOut cookie logicmediawiki/extensions/CentralAuthmaster+0 -12
Remove defunct LoggedOut cookiemediawiki/coremaster+0 -53
Remove defunct LoggedOut cookiemediawiki/coremaster+0 -53
Customize query in gerrit

Related Objects

Event Timeline

Mattflaschen-WMF created this task.Aug 9 2016, 11:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2016, 11:24 PM
Tgr added a comment.EditedAug 9 2016, 11:58 PM

It's not intentional; it's supposed to be set in CookieSessionProvider::setLoggedOutCookie. But I guess that's never called since the (anonymous) session is not persisted on logout.

If that is indeed the case then it has been broken since January, when SessionManager was deployed (specifically, the User::doLogout() changes in a73c5b7395a07d490f7052fd3b2491ebd656b190).

Danny_B added a project: Regression.Aug 10 2016, 1:24 PM
Anomie added a comment.Aug 15 2016, 5:53 PM

More likely is that the fix for T127436 (6d4436c9) caused the cookie to no longer be set since the session is no longer persisted by the time it would be sent to the browser.

I'm not sure that this is a problem anymore, though: the intention seems to have been to fix T2063 without clearing/resetting the session cookie, but since T127436 we do clear the session cookie so the Vary header should handle varying the cache now.

Tgr added a subscriber: tstarling.Aug 15 2016, 6:40 PM

From 990d7679/7f64539 it would seem that clearing the session is not enough, or not wanted. Maybe @tstarling can clarify?

Related: T33639

Anomie added a subscriber: BBlack.Aug 15 2016, 6:52 PM

OTOH, setting the LoggedOut cookie again might well re-break T127436, since it's included in the Key header. I'd hope browsers are smart enough to respect at least the Vary header for their local caching.

Mattflaschen-WMF unsubscribed.Aug 16 2016, 8:40 PM
Aklapper added a comment.Apr 13 2017, 10:48 AM

So.... should this be declined? Sounds like there is no consensus that the advantages outweigh?

Aklapper added a comment.Oct 8 2017, 9:09 PM
In T142542#3177836, @Aklapper wrote:

So.... should this be declined? Sounds like there is no consensus that the advantages outweigh?

Anyone willing to make a decision?

Anomie added a comment.Oct 10 2017, 7:40 PM

I think we're waiting for Tim's opinion in light of 990d7679/7f64539.

Anomie mentioned this in T179752: Clear site data on MediaWiki log out.Nov 5 2017, 3:25 PM
Aklapper added a comment.Dec 9 2017, 6:34 PM

@tstarling: Could you provide your opinion please? See last comment by anomie. Thanks.

Krinkle added a project: Performance-Team.May 4 2019, 3:18 PM
kchapman moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.May 6 2019, 8:04 PM
Krinkle updated the task description. (Show Details)May 6 2019, 8:05 PM
aaron triaged this task as Lowest priority.Jun 6 2019, 9:20 AM
Krinkle added a project: Platform Engineering.Jun 6 2019, 9:21 AM
Krinkle updated the task description. (Show Details)
Tgr added a comment.Jun 6 2019, 11:06 AM

I suspect that now, when you view article X, and are logged in, and then log out, and view the same pages you have viewed before, it will appear as if you are logged in

That does not seem to be the case, on multiple levels:

  • I can't actually produce a 304 (I'm testing in Chrome 74 on Ubuntu): if I log out, the following load of a previously visited page will be a 200, and only the following ones 304s. Not sure why that happens, it seems like the server shouldn't be able to differentiate but somehow it does.
  • There is a Vary: ..., Cookie, ... header on all responses, and logged-in and logged out requests have different cookies so I imagine that splits the cache on the browser side as well, and the browser doesn't use the cached 200 that was the response for a request with a session cookie to render a 304 response given for a request with no session cookie.
  • All responses to logged-in requests have Expires: Thu, 01 Jan 1970 00:00:00 GMT which I think discourages browser caching anyway.
WDoranWMF edited projects, added Platform Team Legacy (Watching / External); removed Platform Engineering.Jun 11 2019, 1:07 PM
daniel subscribed.Jun 11 2019, 1:12 PM

This sounds to me like the cookie is actually not needed. If that is the case, the related code should be deleted.

If this is not the case and we still need the cookie, the code needs to be fixed.

Gilles removed a project: Performance-Team.May 20 2020, 5:10 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:03 PM
Krinkle mentioned this in T403866: Toggling desktop view doesn't toggle user back into mobile mode.Sep 11 2025, 2:29 AM
ori subscribed.Nov 9 2025, 2:57 AM

The cookie has been defunct for almost a decade. The code should be deleted.

gerritbot added a comment.Nov 9 2025, 2:58 AM

Change #1203251 had a related patch set uploaded (by Ori; author: Ori):

[mediawiki/core@master] Remove defunct LoggedOut cookie

https://gerrit.wikimedia.org/r/1203251

gerritbot added a project: Patch-For-Review.Nov 9 2025, 2:58 AM
gerritbot added a comment.Nov 9 2025, 3:00 AM

Change #1203252 had a related patch set uploaded (by Ori; author: Ori):

[mediawiki/core@master] Remove defunct LoggedOut cookie

https://gerrit.wikimedia.org/r/1203252

gerritbot added a comment.Nov 9 2025, 3:02 AM

Change #1203251 abandoned by Ori:

[mediawiki/core@master] Remove defunct LoggedOut cookie

https://gerrit.wikimedia.org/r/1203251

Krinkle subscribed.Nov 19 2025, 4:20 PM
In T142542#5239872, @Tgr wrote:

[…]

  • All responses to logged-in requests have Expires: Thu, 01 Jan 1970 00:00:00 GMT which I think discourages browser caching anyway.

It does not.

Expires with a past date is the same as max-age=0, which in turn is the same as a expires in the future or max-age=100 and then waiting for that to be in the past / expire. The result is that browsers should revalidate it via the IMS/INM header and may then receive an empty HTTP 304 response instead a full HTTP 200 re-download.

Unless something extreme like Cache-Control: no-store is used, a browser will store it, and then use it offline (if fresh) or use it it revalidation (if expired).

This is all a good thing, because logged-in users can do and do benefit from HTTP 304 when re-visiting articles that haven't been edited/touched since your last visit. Changing cookies when logging-in or logging-out effecitvely invalidates the local browser cache, because we set Vary: Cookie which means the internal cache key will not be based solely on the URL but also on the cookie values.

Krinkle added projects: MediaWiki-Platform-Team (Radar), Wikimedia-Performance-recommendation.Nov 19 2025, 4:21 PM
Tgr added a comment.Dec 4 2025, 12:50 AM

Varnish has this snippet, if we are dropping the cookie, we should probably drop it as well:

// Users that just logged out, should not get a 304 for their
// (locally cached) logged in pages.
if (req.http.If-Modified-Since && req.http.Cookie ~ "LoggedOut") {
    unset req.http.If-Modified-Since;
}
Tgr added a comment.Dec 4 2025, 12:56 AM

Do we understand why the cookie is defunct? It's called unconditionally in persistSession() as

$this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );

so I guess $session->getLoggedOutTimestamp() always returns 0? Should we get rid of that (and generally the loggedOut field in session metadata) as well? The other thing it gets used for is setting User::$mTouched for anonymous users.

setLoggedOutTimestamp() is called on logout, but since we are unpersisting the session on logout, I'm not sure what that's supposed to achieve.

gerritbot added a comment.Dec 12 2025, 2:19 PM

Change #1217757 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Remove LoggedOut cookie logic

https://gerrit.wikimedia.org/r/1217757

gerritbot added a comment.Dec 12 2025, 2:39 PM

Change #1203252 merged by jenkins-bot:

[mediawiki/core@master] Remove defunct LoggedOut cookie

https://gerrit.wikimedia.org/r/1203252

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.7; 2025-12-16).Dec 12 2025, 3:00 PM
gerritbot added a comment.Dec 12 2025, 3:56 PM

Change #1217774 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/puppet@production] Remove LoggedOut cookie handling

https://gerrit.wikimedia.org/r/1217774

matmarex subscribed.Dec 12 2025, 4:29 PM
gerritbot added a comment.Dec 12 2025, 4:33 PM

Change #1217790 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Remove LoggedOut cookie logic

https://gerrit.wikimedia.org/r/1217790

gerritbot added a comment.Dec 12 2025, 4:35 PM

Change #1217757 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Remove LoggedOut cookie logic

https://gerrit.wikimedia.org/r/1217757

matmarex edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team (Radar).Dec 18 2025, 1:41 AM
matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
gerritbot added a comment.Dec 18 2025, 9:06 PM

Change #1217790 merged by jenkins-bot:

[operations/mediawiki-config@master] Remove LoggedOut cookie logic

https://gerrit.wikimedia.org/r/1217790

Stashbot added a comment.Dec 18 2025, 9:06 PM

Mentioned in SAL (#wikimedia-operations) [2025-12-18T21:06:55Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1217790|Remove LoggedOut cookie logic (T142542)]], [[gerrit:1219588|Turn on Parsoid Read Views on itwiki (T413084)]], [[gerrit:rOPUP121728222dda|Logos: Handle missing responsive URLs, manually modify thumbnail sizes to avoid $wgThumbnailSteps (T405169)]]

Stashbot mentioned this in T413084: Parsoid Read Views to deploy ~2025-12-18 (itwiki, nlwiki).Dec 18 2025, 9:06 PM
Stashbot mentioned this in T405169: logos/manage.py does not find 1.5x logo.

Mentioned in SAL (#wikimedia-operations) [2025-12-18T21:08:54Z] <tgr@deploy2002> pppery, tgr, cscott: Backport for [[gerrit:1217790|Remove LoggedOut cookie logic (T142542)]], [[gerrit:1219588|Turn on Parsoid Read Views on itwiki (T413084)]], [[gerrit:rOPUP121728222dda|Logos: Handle missing responsive URLs, manually modify thumbnail sizes to avoid $wgThumbnailSteps (T405169)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Dec 18 2025, 9:13 PM

Mentioned in SAL (#wikimedia-operations) [2025-12-18T21:13:23Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1217790|Remove LoggedOut cookie logic (T142542)]], [[gerrit:1219588|Turn on Parsoid Read Views on itwiki (T413084)]], [[gerrit:rOPUP121728222dda|Logos: Handle missing responsive URLs, manually modify thumbnail sizes to avoid $wgThumbnailSteps (T405169)]] (duration: 06m 28s)

gerritbot added a comment.Dec 18 2025, 10:57 PM

Change #1217774 merged by RLazarus:

[operations/puppet@production] Remove LoggedOut cookie handling

https://gerrit.wikimedia.org/r/1217774

Maintenance_bot removed a project: Patch-For-Review.Dec 18 2025, 11:30 PM
matmarex closed this task as Resolved.Dec 20 2025, 7:37 PM
matmarex claimed this task.

Looks all done in MediaWiki and WMF configs.

matmarex removed matmarex as the assignee of this task.Dec 20 2025, 7:37 PM
matmarex mentioned this in T33639: MediaWiki should use ETags instead of Last-Modified and the Logged out cookie hack.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits