Maybe I'm missing something, but where is the 180 days number coming from. When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Dec 18, 2012 at 11:07 PM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 12/18/2012 06:50 PM, bawolff wrote:
On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel pleasestand@live.com
wrote:
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Not really. The cookie expiration was bumped to 180 days back in August of 2011. Before that we had a shorter expiry. See https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given that the user has to agree to the remember me function, I do not feel this is a privacy concern.
No, I tested and Kevin is correct. The "remember me" controls whether the user_token cookie is set: https://www.mediawiki.org/wiki/Manual:User_table#user_token . In practice, this means you will be logged in for 180 days.
But even if you don't check it, your username and user id (but not password or "being logged in") will be cached in a cookie for 180 days.
I believe the relevant code starts at
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... .
I have reported the 30 v. 180 discrepancy to legal@wikimedia.org
Matt Flaschen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l