T5233 has now been resolved, and seems to work great when autoblocking accounts. However it would be nice to have this same cookie block functionality when blocking IPs. For instance, say I am vandalizing while logged out on a mobile device and my IP gets blocked. I walk down the street, and I have a new IP, and am able to resume vandalizing. If a cookie is stored with a reference to the IP block, it could be reloaded. Another use case is blocking residential IPs, where their IPv6 address may be refreshed quickly. Currently, we may do a range block to effectively block all IPs allocated to that end user. However many admins are not comfortable doing this, and it seems a cookie would do the job just as well for your common vandal who isn't particularly tech-savvy.
For this I think the cookie should last the length of an autoblock (24 hours for Wikimedia projects), to minimize collateral damage.
- When the system identifies a person is accessing the wiki from an IP address or range that is currently blocked, a cookie should be dropped on their computer.
- If a user with the active cookie edits from a different IP address, the should see a block message with the original block ID
- Block cookies should expire after 24 hours or the length of the actual block, whichever is shorter.
- T191542: Implement event logging for IP cookie blocks to make sure it's working reasonably
- Add feature flag for block cookie behavior to disable if needed.
- When in doubt, emulate T5233