Page MenuHomePhabricator

Don't set cookies for at the caching layer
Open, MediumPublic


Almost all of our HTTP responses come back with three cookies that are set at the caching layer:

  • WMF-Last-Access
  • WMF-Last-Access-Global
  • GeoIP

Web API developers don't like to manage cookies. Since these seem to be mostly focused on analytics for tracking usage, they're unlikely to store and return these cookies. Just sending the cookies is a bad smell for API developers.

Since the API gateway is supposed to give a best-practices experience for developers, we'd like to make an exception for this server so that the cookies aren't emitted. I realise adding this kind of special case is a hassle, but it would be a nice bit of polish for our developer experience.

We're filtering out any other cookies that are set by MediaWiki (see T258748), so it would be nice to cover these too.

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptAug 20 2020, 8:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
CDanis edited subscribers, added: BBlack; removed: Brandon.Aug 20 2020, 8:56 PM
colewhite triaged this task as Medium priority.Aug 21 2020, 3:23 PM

@Nuria we split the conversation here into T259296 and this ticket. @hnowlan is taking care of making sure the API server doesn't pass through cookies, so it's really checking if we are setting the GeoIP and other cookies in front of Envoy.