Page MenuHomePhabricator
Create Task
Maniphest T33639

MediaWiki should use ETags instead of Last-Modified and the Logged out cookie hack
Closed, ResolvedPublicFeature
Actions

Description

Right now MediaWiki supports browser caching of pages for both logged in and anonymous users through the Last-Modified header. MediaWiki uses a Loggedout cookie hack to prevent anons from being served a bad cache from when they were logged in. However there are a number of problems:

  • As a result of the logged out cookie, after you log out, for quite some time you are served 200 responses instead of proper 304's. In other words, even if you're capable of viewing a cache and your browser doesn't have a stale user cache in it you still won't get a cached page back. This means that logging in and then logging back out will make your wiki viewing potentially slower than being logged in.
  • As another result of the logged out cookie, even though you're an anon, you continue to bypass squid caches in most configurations and don't get the advantage of seeing the same efficiently cached pages as all the other anons.
  • And to top it off, the logged out cookie hack doesn't solve the issue in the other direction. You can view a page, get a Last-Modified header back, log in, go back to the page, and get a 304 that tells your browser to load it's cached page of you logged out instead of the proper one with your logged in interface.

The only way to fix all these troubles is to drop the Logged out cookie hack and instead use ETags which include info about the user so that when a user logs out, logs in, has their talkpage edited (because we want notifications to be sent), changes ip (if they're an anon and their ip address is being shown in the header), etc... the ETag's contents will change.

There's an interesting note about ETags. Browsers can send multiple ETags in their If-None-Match header. As a result a browser can actually have a logged out version and one (or maybe more) logged in versions of a page in their cache. If you view a page, log in, view it again, and log back out, when you go back to the page even though you viewed it with a different ETag and a different cached page, you could potentially end up getting a 304 because you still had a cached version for logged out users ;).

Version: unspecified
Severity: enhancement

Details

Reference
bz31639

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:54 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz31639.
bzimport added a subscriber: Unknown Object (MLST).
DanielFriesen created this task.Oct 12 2011, 5:20 AM
brooke added a comment.Oct 13 2011, 4:31 PM

Sounds plausible... after a logout or session timeout (which the logout cookie doesn't currently handle), coming back will ask for the page with your last-seen logged-in etag... the caching proxies don't have it cached since it's set for local-only, so pass it on to the backend app servers. MediaWiki then checks the etag and sees that it doesn't match the user id now active in your session (if any), and kicks back an anonymous page, with the anonymous etag.

Might need to distinguish between 'session but not logged in' and 'no session and not logged in'.

DanielFriesen added a comment.Oct 13 2011, 4:56 PM

(In reply to comment #1)

Might need to distinguish between 'session but not logged in' and 'no session
and not logged in'.

For anons we could include say the first 4 characters of an md5 of the session id in the ETag if there is a session.

Krinkle subscribed.May 8 2015, 4:27 AM
Krinkle added a project: MediaWiki-User-Interface.May 8 2015, 4:41 AM
Krinkle set Security to None.
Krinkle edited subscribers, added: ori; removed: Unknown Object (MLST).
Nemo_bis added a project: OKR-Work.Mar 13 2016, 10:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 10:14 AM
Tgr mentioned this in T142542: LoggedOut cookie not set anymore.Aug 15 2016, 6:40 PM
Krinkle edited projects, added Performance-Team; removed OKR-Work, MediaWiki-General.May 4 2019, 3:18 PM
kchapman moved this task from Inbox, needs triage to Radar on the Performance-Team board.May 6 2019, 8:04 PM
kchapman edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.Jul 30 2019, 12:11 AM
Jdlrobson added a project: MediaWiki-libs-BagOStuff.Jan 13 2021, 5:54 PM
Krinkle moved this task from General to HTTP Cache on the MediaWiki-libs-BagOStuff board.Apr 2 2021, 8:59 PM
Krinkle closed subtask T49529: MediaWiki should check ETags as Declined.Apr 2 2021, 9:04 PM
Krinkle mentioned this in T279205: Harden and improve HTTP cache headers and purging in MediaWiki core (Sprint placeholder) .Apr 2 2021, 9:25 PM
Ciencia_Al_Poder subscribed.Sep 13 2021, 9:43 PM
Krinkle edited projects, added MediaWiki-Core-HTTP-Cache; removed MediaWiki-libs-BagOStuff.Jan 22 2022, 11:16 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 12:24 PM
Krinkle removed a project: Performance-Team (Radar).Aug 18 2023, 8:14 PM
Pppery removed a project: MediaWiki-User-Interface.May 9 2024, 4:09 AM
Krinkle mentioned this in T403866: Toggling desktop view doesn't toggle user back into mobile mode.Sep 11 2025, 2:29 AM
matmarex subscribed.Dec 20 2025, 7:38 PM

The LoggedOut cookie has been removed in T142542.

Krinkle closed this task as Resolved.Dec 22 2025, 2:14 AM
Krinkle claimed this task.
Krinkle added a project: MediaWiki-Platform-Team (Radar).
Task description in the year 2011:

In other words, even if you're capable of viewing a cache and your browser doesn't have a stale user cache in it you still won't get a cached page back. This means that logging in and then logging back out will make your wiki viewing potentially slower than being logged in.

This was basically fixed as of 2016 (possibly earlier) per T142542, because logging out failed to actually set the LoggedOut cookie, but did clear most other session cookies such that you're probably back to the state one would be logged-out.

In any event, browser caches honor Vary: Cookie and so don't rely on MediaWiki's Last-Modified hack. The presence of session cookies, and then the absence of those session cookies, suffices to make sure your browser won't even consider the "wrong" cache. Thus you don't see logged-out caches while logged-in, won't see logged-in caches after logging-out, and thus naturally qualify again for the same pre-login caches after logging out (assuming no other cookie changes). That part resolves the the stated problem of this task.

This task suggested swiching from Last-Modified to E-Tags, but that would not improve this today, because the predominant factor is the cookies. If the URL + cookie headers (and any other Vary headers) aren't the same, then a cache isn't matchable under HTTP cache semantics, and thus isn't considered by the browser (no If-Modified-Since sent, and thus does not trigger any server-side logic in MediaWiki for a possible chance at a HTTP 304 response).

MediaWiki does still use Last-Modified to revalidate caches based on the revision timestamp (page edits), user touched timestamp (preferences, talk page notif), and CDN epoch (i.e. don't renew misc skin HTML and other global state beyond 14 days). These are all time-based today which seems simple enough and equally effective as an E-Tag and arguably easier to debug and less surprising.

Krinkle mentioned this in T34364: Logged in status incorrectly displayed after a PHP session timeout.Dec 22 2025, 2:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits