Page MenuHomePhabricator

Clear site data on MediaWiki log out
Open, MediumPublic

Description

Right now when a user logs out of MediaWiki, a significant amount of state can stay behind spanning both the logged-in and logged-out browsing session, which is likely unexpected from a user perspective.

While we take care to expire the PHP session data, and PHP session cookie on the client. Other cookies (session-bound or otherwise), and all browser storage (sessionStorage and localStorage) remain.

The session-bound cookies and sessionStorage values should be cleared if the user remembers to properly close all windows and quit the browser. But even then other storage remains.

And more likely, a user may close the browser in its entirety, in which case most modern browsers are helpful enough to save it anyway and offer to restore the session upon re-opening of the browser.

Logging-out is the key user interaction here that we should use to clear everything else.

This could be taken care of by loading some JavaScript code on the page in response to the POST request after a successful log-out.

In addition, we can use the Clear-Site-Data header which can help clear additional things in supported browsers (such as HTTP caches).

Clear Site Data (W3C specification)
https://www.w3.org/TR/clear-site-data/

Event Timeline

Based on https://www.chromestatus.com/feature/4713262029471744 this appears to be a Chromium/Opera-only feature right now? https://bugzilla.mozilla.org/show_bug.cgi?id=1268889 is the request to implement this in Firefox.

Yeah, this task is for doing it in general, which will require JS code for now, but we can and should still do that first.

The header just helps it happen sooner in supported browsers, no harm in adding it. Especially on mobile the header can help make the deletion scheduled natively even if the user closes the page before all the JS arrives and executes.

Note that we specifically want certain things to remain present after logout, including the user name cookie used to prefill the field on a subsequent login, the cookie for the "cookie block" feature I've heard some talk about, and the new anonymous session cookie (if any). There's also T142542 that wants to return to setting a LoggedOut cookie.

We'd also possibly want to preserve UI state cookies and local storage, e.g. things that remember whether some UI element is expanded or collapsed.

Users may or may not also expect gadget or user script data saved to cookies or local storage to remain across a logout and log-back-in; that should probably be investigated.

At a quick glance, it seems Clear Site Data may not be particularly suitable for WMF use, both in that it can only clear all or none of various things and in that it only works for the current origin (e.g. it'd clear en.wikipedia.org, but not de.wikipedia.org, fr.wikipedia.org, etc.). I may, of course, be mistaken.

fdans moved this task from Incoming to Radar on the Analytics board.

Right now when a user logs out of MediaWiki, a significant amount of state can stay behind spanning both the logged-in and logged-out browsing session, which is likely unexpected from a user perspective.

This would be true of state that alters your interactions with the site. We certainly would like for analytics cookies to remain after logout and they do not any way affect the interactions of the user with the site. (Ex: WMF-Last-Access)

Nuria removed Nuria as the assignee of this task.Nov 6 2017, 6:28 PM
Nuria added a subscriber: Nuria.

Tagging Privacy-Engineering as FYI. This may be worth looking into and get into our planning.

See Coding conventions which recommend a workaround, which I believe is likely not consitently followed currently and also hard to notice or enforce.

JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.