I'm trying to understand the purpose of the LoggedOut cookie. I have two problems:
1) The comments state that it is in order to assist with caching / refreshing the right information. However, the cookie is only set (well, can only be set) if the user logs out very explicitly by clicking the log out button. I suspect, many users will not do that, e.g. by quitting the browser or abandoning the current session, leaving that cookie absent or holding the wrong value. How useful can this mechanism be -- but see next question -- if many/most people do not / will not activate it?
2) Based on looking at the code, I'm not certain that the caching behavior implemented with the LoggedOut cookie really works. Also, I don't recall having ever seen a similar mechanism with any other website. Is there any Wikipedia-specific functionality that can only be accomplished with this cookie that somehow I don't see?
I'd really appreciate it if somebody in the know could help me here. Alternatively, can we get rid of it?!?
Johannes Ernst
Johannes Ernst wrote:
I'm trying to understand the purpose of the LoggedOut cookie. I have two problems:
- The comments state that it is in order to assist with caching /
refreshing the right information. However, the cookie is only set (well, can only be set) if the user logs out very explicitly by clicking the log out button. I suspect, many users will not do that, e.g. by quitting the browser or abandoning the current session, leaving that cookie absent or holding the wrong value. How useful can this mechanism be -- but see next question -- if many/most people do not / will not activate it?
It's useful because it cuts down on complaints of the form: "I logged out, but I went to a page and it logged me right back in! But then I tried to edit and it logged me out again!"
- Based on looking at the code, I'm not certain that the caching
behavior implemented with the LoggedOut cookie really works. Also, I don't recall having ever seen a similar mechanism with any other website. Is there any Wikipedia-specific functionality that can only be accomplished with this cookie that somehow I don't see?
MediaWiki tries to let the client cache wiki pages in order to speed things up when clicking around to pages you've already been at; from what I've seen most dynamic sites don't bother with this, so they may not require particular handling of the logut case.
When you revisit a page, the client sends an If-Modified-Since header with the value of the Last-Modified header sent from the server on the previous visit.
The wiki compares this time against: * a global cache invalidation timestamp ($wgCacheEpoch) * the page_touched field for the page; updated on edit and on modification of linked resources that would change rendering * the user_touched field for the user; updated on login, logout, change of preferences, addition to the talk page, clearing of the new talk flag, changes to the watchlist
If the given time postdates all those, then a '304 Not Modified' response is sent; the page doesn't have to be rendered or transferred over the network and it's displayed more quickly to the user.
If the given time is older than any of those, then it means something may have changed that alters how the output should appear; it's re-rendered and HTML gets sent down the wire.
Now, if you log out then the user_touched timestamp isn't exactly applicable; there's no account connected to the session. Setting a cookie is a way to force that, and let the wiki know that a cached page from before the logout should be rerendered.
It doesn't handle the timeout / quit browser case, no, but that doesn't matter too much. It's there to handle the "OMFG I'm still logged in even though I logged out!!!!!!1111eleven" case.
-- brion vibber (brion @ pobox.com)
Hmm ... see in-lined.
On Oct 12, 2005, at 14:04, Brion Vibber wrote:
Johannes Ernst wrote:
I'm trying to understand the purpose of the LoggedOut cookie. I have two problems:
- The comments state that it is in order to assist with caching /
refreshing the right information. However, the cookie is only set (well, can only be set) if the user logs out very explicitly by clicking the log out button. I suspect, many users will not do that, e.g. by quitting the browser or abandoning the current session, leaving that cookie absent or holding the wrong value. How useful can this mechanism be -- but see next question -- if many/most people do not / will not activate it?
It's useful because it cuts down on complaints of the form: "I logged out, but I went to a page and it logged me right back in! But then I tried to edit and it logged me out again!"
Okay, I understand how this could occur and why users would be upset. However, couldn't the same effect be accomplished simply by removing the session cookie? If I understand HTTP caching correctly -- well, that may mean nothing because my knowledge on that subject is cursory -- then pages are only supposed to be cached if the cookie information is the same. Removing the session cookie would accomplish this, just like adding the LoggedOut cookie does?
- Based on looking at the code, I'm not certain that the caching
behavior implemented with the LoggedOut cookie really works. Also, I don't recall having ever seen a similar mechanism with any other website. Is there any Wikipedia-specific functionality that can only be accomplished with this cookie that somehow I don't see?
MediaWiki tries to let the client cache wiki pages in order to speed things up when clicking around to pages you've already been at; from what I've seen most dynamic sites don't bother with this, so they may not require particular handling of the logut case.
When you revisit a page, the client sends an If-Modified-Since header with the value of the Last-Modified header sent from the server on the previous visit.
The wiki compares this time against:
- a global cache invalidation timestamp ($wgCacheEpoch)
- the page_touched field for the page; updated on edit and on
modification of linked resources that would change rendering
- the user_touched field for the user; updated on login, logout,
change of preferences, addition to the talk page, clearing of the new talk flag, changes to the watchlist
If the given time postdates all those, then a '304 Not Modified' response is sent; the page doesn't have to be rendered or transferred over the network and it's displayed more quickly to the user.
If the given time is older than any of those, then it means something may have changed that alters how the output should appear; it's re-rendered and HTML gets sent down the wire.
Now, if you log out then the user_touched timestamp isn't exactly applicable; there's no account connected to the session.
Ah! Here seems to be the poodle's core... In other words, the LoggedOut cookie captures information (the time of log out) that is associated with this particular user, although the user has decided to log out ...
Setting a cookie is a way to force that, and let the wiki know that a cached page from before the logout should be rerendered.
Let me ask the other way around. Why wouldn't the following, much simplified scenario work: - there is only one cookie, xxx_session that is ever set by MediaWiki - it is set as a result of a successful authentication - is removed as a result of a log out. - caching / re-rendering is performed strictly based on the cookie value and the modification times of the page
There may be information that needs to be tracked on a per-user basis even for anonymous users (I just say that, I don't know. Is there?) so user Anonymous 1 can be distinguished from Anonymous 2. If there is, that information could also be held by a (really different) session cookie which is created when the user logs off and removed when the user logs on. In order for the If-modified-since to work, it probably would have to have a different value than when the user was still logged on.
(I'm also not sure why the xxxUserName cookie is needed -- it stays around after logout -- isn't that a privacy problem? With automatic form-fill in the newer browsers, that should not really be necessary? But that's a different question)
It doesn't handle the timeout / quit browser case, no, but that doesn't matter too much. It's there to handle the "OMFG I'm still logged in even though I logged out!!!!!!1111eleven" case.
-- brion vibber (brion @ pobox.com) _______________________________________________ Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Johannes Ernst
Johannes Ernst wrote:
Let me ask the other way around. Why wouldn't the following, much simplified scenario work:
- there is only one cookie, xxx_session that is ever set by MediaWiki
- it is set as a result of a successful authentication
- is removed as a result of a log out.
- caching / re-rendering is performed strictly based on the cookie
value and the modification times of the page
The browser doesn't tell us its previous cookie, just the timestamp. There should be a Vary: on cookie, but I'm not sure this makes a difference to the end-browser's behavior (it's targetted at intermediate caches). Could you test this and report back?
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org