Change Details

Cookies are deleterious to site performance because they hurt cache efficiency and because they bloat payload size. The bloat added by cookies is significant despite their relatively small byte size due to TCP slow-start. We should go over all cookies and work to eliminate as many of them as possible. At the time of writing (26-Aug-2015), localStorage is available for 92.76% of traffic. MediaWiki extensions which currently rely on cookies could use localStorage instead, except when the adverse effect on the user would be extremely high (for instance, the site would be unusable for a user if fundraising CentralNotices were displayed unconditionally). Documented at: https://www.mediawiki.org/wiki/Performance_guidelines#Cookies ----- # Overview of cookies found on Wikimedia wikis as of 2017-02-27 **All page loads** (all wikis, all users, logged-in and logged-out) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | CPl (all-frontend) | Varnish | Connection properties (e.g. HTTP/1.1 vs HTTP/2) | Session | Keep. Only known server-side, needed client-side. | GeoIP | Varnish (text-frontend) | Geo-location for CentralNotice banners | Session | Keep. Only known server-side, needed client-side. | WMF-Last-Access (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. | WMF-Last-Access-Global (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. **Most page loads** (conditional, but possible on all wikis, all users) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | <wiki-id>mwuser-sessionId | mediawiki.js | Generic client-side session id | Session | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340236> (1.29.0-wmf.15) | mediawikiwikiGeoFeaturesUser2 | WikimediaEvents JS | User token | 10 minutes | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340232> (1.29.0-wmf.14) | dismissSiteNotice | DismissableSiteNotice JS | Seen state | 30 days | {icon exclamation-triangle color=red} | `centralnotice_hide_*` | CentralNotice JS | Seen state | 7 days | {icon cog color=orange} Moving to localStorage. T108849 | `centralnotice_hide_fundraising` | CentralNotice JS | Seen state | 250 days | {icon cog color=orange} Moving to localStorage. T108849 **Editing** | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | centralauth_Session | CentralAuth PHP | SUL | Session | Keep. Used server-side. httpOnly by default. | centralauth_Token | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_User for "remember me" functionality. httpOnly by default. | centralauth_User | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_Token for "remember me" functionality. httpOnly by default. | forceHTTPS | MediaWiki PHP | | 30 days | Keep. Used server-side. httpOnly by default. | <wiki-id>Session | MediaWiki PHP | Login/Session | Session | Keep. Used server-side. httpOnly by default. | <wiki-id>UserID | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. httpOnly by default. | <wiki-id>Token | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. Not set for SUL login. httpOnly by default. | <wiki-id>UserName | MediaWiki PHP | | Configurable | httpOnly by default. | <wiki-id>templates-used-list | MediaWiki JS | Collapse/expand state | 30 days | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340243> (1.29.0-wmf.15) | VEE | VisualEditor JS + PHP | Preferred editor mode | 30 days | {icon exclamation-triangle color=red} Move to localStorage? Used server-side for logged-in, prefs? (T181933) WARNING: Moving things to HTML5 sessionStorage (mw.storage.session) can be done freely. However take caution with moving things to localStorage as a proper expiry strategy is still being worked on. Avoid localStorage for the time being when dealing with variable keys. For 1 or 2 fixed keys, we can deal with expiry and clean-up on a case-by-case basis. WARNING: When moving keys to sessionStorage or localStorage (mw.storage) beware that there is no cookieprefix by default. If values must vary by wiki, then wgCookiePrefix must be manually made part of the key.

Cookies are deleterious to site performance because they hurt cache efficiency and because they bloat payload size. The bloat added by cookies is significant despite their relatively small byte size due to TCP slow-start. We should go over all cookies and work to eliminate as many of them as possible. At the time of writing (26-Aug-2015), localStorage is available for 92.76% of traffic. MediaWiki extensions which currently rely on cookies could use localStorage instead, except when the adverse effect on the user would be extremely high (for instance, the site would be unusable for a user if fundraising CentralNotices were displayed unconditionally). Documented at: https://www.mediawiki.org/wiki/Performance_guidelines#Cookies ----- # Overview of cookies found on Wikimedia wikis as of 2017-02-27 **All page loads** (all wikis, all users, logged-in and logged-out) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | CPl (all-frontend) | Varnish | Connection properties (e.g. HTTP/1.1 vs HTTP/2) | Session | Keep. Only known server-side, needed client-side. | GeoIP | Varnish (text-frontend) | Geo-location for CentralNotice banners | Session | Keep. Only known server-side, needed client-side. | WMF-Last-Access (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. | WMF-Last-Access-Global (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. **Most page loads** (conditional, but possible on all wikis, all users) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | <wiki-id>mwuser-sessionId | mediawiki.js | Generic client-side session id | Session | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340236> (1.29.0-wmf.15) | mediawikiwikiGeoFeaturesUser2 | WikimediaEvents JS | User token | 10 minutes | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340232> (1.29.0-wmf.14) | dismissSiteNotice | DismissableSiteNotice JS | Seen state | 30 days | {icon exclamation-triangle color=red} | `centralnotice_hide_*` | CentralNotice JS | Seen state | 7 days | {icon cog color=orange} Moving to localStorage. T108849 | `centralnotice_hide_fundraising` | CentralNotice JS | Seen state | 250 days | {icon cog color=orange} Moving to localStorage. T108849 **Editing** | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | centralauth_Session | CentralAuth PHP | SUL | Session | Keep. Used server-side. httpOnly by default. | centralauth_Token | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_User for "remember me" functionality. httpOnly by default. | centralauth_User | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_Token for "remember me" functionality. httpOnly by default. | forceHTTPS | MediaWiki PHP | | 30 days | Keep. Used server-side. httpOnly by default. | <wiki-id>Session | MediaWiki PHP | Login/Session | Session | Keep. Used server-side. httpOnly by default. | <wiki-id>UserID | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. httpOnly by default. | <wiki-id>Token | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. Not set for SUL login. httpOnly by default. | <wiki-id>UserName | MediaWiki PHP | | Configurable | httpOnly by default. | <wiki-id>templates-used-list | MediaWiki JS | Collapse/expand state | 30 days | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340243> (1.29.0-wmf.15) | VEE | VisualEditor JS + PHP | Preferred editor mode | 30 days | {icon exclamation-triangle color=red} Move to localStorage? Used server-side for logged-in, prefs? (T181933) WARNING: Moving things to HTML5 sessionStorage (mw.storage.session) can be done freely. However take caution with moving things to localStorage as a proper expiry strategy is still being worked on. Avoid localStorage for the time being when dealing with variable keys. For 1 or 2 fixed keys, we can deal with expiry and clean-up on a case-by-case basis. WARNING: When moving keys to sessionStorage or localStorage (mw.storage) beware that there is no cookieprefix by default. If values must vary by wiki, then wgCookiePrefix must be manually made part of the key. See also: * {T194814}

Cookies are deleterious to site performance because they hurt cache efficiency and because they bloat payload size. The bloat added by cookies is significant despite their relatively small byte size due to TCP slow-start. We should go over all cookies and work to eliminate as many of them as possible. At the time of writing (26-Aug-2015), localStorage is available for 92.76% of traffic. MediaWiki extensions which currently rely on cookies could use localStorage instead, except when the adverse effect on the user would be extremely high (for instance, the site would be unusable for a user if fundraising CentralNotices were displayed unconditionally). Documented at: https://www.mediawiki.org/wiki/Performance_guidelines#Cookies ----- # Overview of cookies found on Wikimedia wikis as of 2017-02-27 **All page loads** (all wikis, all users, logged-in and logged-out) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | CPl (all-frontend) | Varnish | Connection properties (e.g. HTTP/1.1 vs HTTP/2) | Session | Keep. Only known server-side, needed client-side. | GeoIP | Varnish (text-frontend) | Geo-location for CentralNotice banners | Session | Keep. Only known server-side, needed client-side. | WMF-Last-Access (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. | WMF-Last-Access-Global (all-frontend) | Varnish | Analytics | 32 days | Keep. Used server-side. **Most page loads** (conditional, but possible on all wikis, all users) | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | <wiki-id>mwuser-sessionId | mediawiki.js | Generic client-side session id | Session | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340236> (1.29.0-wmf.15) | mediawikiwikiGeoFeaturesUser2 | WikimediaEvents JS | User token | 10 minutes | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340232> (1.29.0-wmf.14) | dismissSiteNotice | DismissableSiteNotice JS | Seen state | 30 days | {icon exclamation-triangle color=red} | `centralnotice_hide_*` | CentralNotice JS | Seen state | 7 days | {icon cog color=orange} Moving to localStorage. T108849 | `centralnotice_hide_fundraising` | CentralNotice JS | Seen state | 250 days | {icon cog color=orange} Moving to localStorage. T108849 **Editing** | Name | Source | Purpose | Expiry | Comment |--|--|--|--|-- | centralauth_Session | CentralAuth PHP | SUL | Session | Keep. Used server-side. httpOnly by default. | centralauth_Token | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_User for "remember me" functionality. httpOnly by default. | centralauth_User | CentralAuth PHP | SUL | Configurable | Used server-side with centralauth_Token for "remember me" functionality. httpOnly by default. | forceHTTPS | MediaWiki PHP | | 30 days | Keep. Used server-side. httpOnly by default. | <wiki-id>Session | MediaWiki PHP | Login/Session | Session | Keep. Used server-side. httpOnly by default. | <wiki-id>UserID | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. httpOnly by default. | <wiki-id>Token | MediaWiki PHP | non-SUL Login | Configurable | Needed for non-SUL "remember me" functionality. Not set for SUL login. httpOnly by default. | <wiki-id>UserName | MediaWiki PHP | | Configurable | httpOnly by default. | <wiki-id>templates-used-list | MediaWiki JS | Collapse/expand state | 30 days | {icon check color=green} Moved to sessionStorage. <https://gerrit.wikimedia.org/r/340243> (1.29.0-wmf.15) | VEE | VisualEditor JS + PHP | Preferred editor mode | 30 days | {icon exclamation-triangle color=red} Move to localStorage? Used server-side for logged-in, prefs? (T181933) WARNING: Moving things to HTML5 sessionStorage (mw.storage.session) can be done freely. However take caution with moving things to localStorage as a proper expiry strategy is still being worked on. Avoid localStorage for the time being when dealing with variable keys. For 1 or 2 fixed keys, we can deal with expiry and clean-up on a case-by-case basis. WARNING: When moving keys to sessionStorage or localStorage (mw.storage) beware that there is no cookieprefix by default. If values must vary by wiki, then wgCookiePrefix must be manually made part of the key. See also: * {T194814}