Page MenuHomePhabricator

Wiki sites should delete all their cookies during logout
Open, LowPublic


Here is what I do:

  1. Remove all cookies
  2. Login into
  3. Logout from

These steps leave dozens of cookies for various wikimedia sites, even for ones that I didn't use in the session, like,,
Since wikipedia isn't supposed to do any kinds of clandestine user tracking, wikipedia shouldn't leave cookies.

Please delete all cookies when user logs out.

Event Timeline

As far as I know you cannot directly delete a cookie on a remote machine, only make the browser delete the cookie by setting the cookie's expiration date to a past date. And I do not think that is wanted here, and not setting cookies for other Wikimedia sites would destroy the intention of Unified Login.

@Yurivict: Are you aware of any other solutions? Why is the current behavior exactly a problem and how is "clandestine user tracking" currently done according to your opinion / investigation?

I don't think wikipedia does user tracking. But the situation when after the login/logout cycle site still looks the same but the cookies are now present, begs the question "what is different now?" IMO there is no need to have this preserved state, since it doesn't serve any obvious purpose, so the cleanest way is to delete the cookies.

Leaving cookies after the logout also doesn't serve the unified login, because it works just fine without them. The server can also remember any additional information about the user without the need to save it in cookies.

The answer here says that the value should be cleared in addition to the date set in the past, like you said. The fact that this doesn't guarantee deletion in 100% of browsers is besides the point because this is intended for well-behaved browsers, not reconfigured ones.

Some sites nowadays even ask the user if he agrees that the cookies will be used, and if the user agrees to keep them after the logout.

Hi @Yurivict ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly. Thank you!

@Jcross: We do not delete cookies after logout, so the task is technically correct. Whether it is feasible or wanted is another question...