Page MenuHomePhabricator

Wiki sites should delete all their cookies during logout
Open, Needs TriagePublic

Description

Here is what I do:

  1. Remove all cookies
  2. Login into wikipedia.org
  3. Logout from wikipedia.org

These steps leave dozens of cookies for various wikimedia sites, even for ones that I didn't use in the session, like wikinews.org, wikitravel.org, wiktionary.org.
Since wikipedia isn't supposed to do any kinds of clandestine user tracking, wikipedia shouldn't leave cookies.

Please delete all cookies when user logs out.

Event Timeline

Yurivict created this task.Aug 15 2016, 4:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2016, 4:13 PM

As far as I know you cannot directly delete a cookie on a remote machine, only make the browser delete the cookie by setting the cookie's expiration date to a past date. And I do not think that is wanted here, and not setting cookies for other Wikimedia sites would destroy the intention of Unified Login.

@Yurivict: Are you aware of any other solutions? Why is the current behavior exactly a problem and how is "clandestine user tracking" currently done according to your opinion / investigation?

I don't think wikipedia does user tracking. But the situation when after the login/logout cycle site still looks the same but the cookies are now present, begs the question "what is different now?" IMO there is no need to have this preserved state, since it doesn't serve any obvious purpose, so the cleanest way is to delete the cookies.

Leaving cookies after the logout also doesn't serve the unified login, because it works just fine without them. The server can also remember any additional information about the user without the need to save it in cookies.

The answer here says that the value should be cleared in addition to the date set in the past, like you said. The fact that this doesn't guarantee deletion in 100% of browsers is besides the point because this is intended for well-behaved browsers, not reconfigured ones.

Some sites nowadays even ask the user if he agrees that the cookies will be used, and if the user agrees to keep them after the logout.