As part of an effort to improve web performance, in 2017 I migrated the persistence of the EventLogging-related "session ID" from being stored in an HTTP session-cookie, to being stored in HTML5 Session Storage.
This "session ID" is an anonymous token temporarily assigned to a user viewing a specific website (e.g. en.wikipedia.org), unrelated to their account (if they have one), and not coordinated between wikis.
When using an HTTP session cookie:
- It expires at the end of the browsing session (e.g. when you close the browser and don't use the "restore session" feature some browsers have), or when browsers delete them to free up space by removing cookies from sites you haven't visited recently (e.g. after 7 days in case of Safari).
- For as long as it has not expired, it is the same between different tabs to the same website.
- It is sent to the server (and ignored there) because the Cookie transportation mechanism does not have a way to be "JS-only" (it does have HTTP-only, which we cannot use here).
When using HTML5 sessionStorage:
- It expires with the lifetime of a single logical browsing "tab". They live for as long as the tab is alive in some form or another. Going from one page to another within the same website within the same tab, is still the same "tab". You can also go to a different website in that tab, and then use the "Back" and "Forward" mechanisms to revisit the old page in the same tab, and still associate the same HTML session. In most browsers, one can also re-open a closed tab within a limited time from the History menu. When closing a browser complete there is not a way to restore it usually. Not even when "restoring the browser session".
The reason for migrating it in 2017 was to reduce network traffic (bandwidth cost for users) between browser and server for information only never needed on the browser. The session cookies, while having all the correct behaviours we want, are also sent to the server, which adds a cost that negatively impacts performance.
It was my (incorrect) understanding that HTML5 session storage is like HTTP cookie sessions, except without the cost of HTTP transfers.
Migrate the storing mechanism for this token back from HTML5 session storage to HTTP session cookies. This is technically a simple task to do.
Check the box if this change is desirable for your team, and if you have concerns about when to deploy it (e.g. not during a particular research campaign), also let us know in the comments below when you'd prefer this to (not) roll out.
- Performance Team (implied).
- Product Analytics