Page MenuHomePhabricator

remove token logging, or change to sessionId cookie
Open, MediumPublic


When Campaign logs a ServerSideAccountCreation event, it still logs the '' cookie as the token field.

As says, client-side code no longer sets this long-lived cookie since T46327: mediawiki.user: Anonymous users should not be identifiable cross sessions was fixed in May 2013. Instead if is called it sets a 'mediaWiki.user.sessionId' cookie.

Depending on need and privacy policy, Campaign could be changed to not log token, or to log the new 'mediaWiki.user.sessionId' cookie. FYI account creation does not currently set either cookie; the current callers of are AFT, AFTv5, and UniversalLanguageSelector.

Many events still have a non-blank token (30% of all enwiki and dewiki account creations). Apparently people are creating accounts in browsers that set this cookie months ago.

Version: master
Severity: minor



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:50 AM
bzimport set Reference to bz52079.
Spage set Security to None.