On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff bawolff@gmail.com wrote:
This way it will work for users without cookies (Maybe none exist, but I like the idea you can edit wikipedia without cookies)
There have been people who disabled cookies and still wanted to be able to use the sites.
and for users who have rapidly changing IPs.
Well, only after they manage to get a session cookie set. I see the patch there attempts to account for that by creating a session on token failure via HTMLForm, which is good, although there are other code paths that would need the same sort of thing (e.g. API token checks).
It will also have minimal breakage, as you won't have to adjust any existing usages of tokens (For example, on special pages).
Note it will affect scripts and API clients that expect to see "+" as the token as a sign that they're logged out, or worse assume that's the token and don't bother to fetch it.