tstarling@svn.wikimedia.org wrote:
Revision: 29682 Author: tstarling Date: 2008-01-13 03:47:07 +0000 (Sun, 13 Jan 2008)
Log Message:
Revert r29671, it was based on a misunderstanding of the purpose of the LoggedOut cookie. The LoggedOut cookie is there to suppress the client-side cache, not the server-side cache. It prevents privately cached logged-in pages from being displayed after the user logs out. Feel free to special-case it in squid if you're worried about the server-side cache hit ratio, but note that IMS requests would need special handling.
- Credential data in the session is destroyed, so the session is harmless. But it is still useful for abuse tracking (logout/login sequences) and similar analysis.
- Not much point in removing the username persistence feature if you can't improve the squid cache hit ratio, which was obviously your goal.
Users may want to prevent their user name from appearing in the login box (or in a cookie, anyway), in public places or anywhere. The UserName cookie should be deleted when logging out. I think the LoggedOut cookie and the session are harmless, though.
Hoi, Would it be possible to have a cookie with the language of the User Interface .. and leave that one as well ? Thanks, GerardM
On Jan 13, 2008 4:19 PM, Rotem Liss rotemliss_net@fastmail.fm wrote:
tstarling@svn.wikimedia.org wrote:
Revision: 29682 Author: tstarling Date: 2008-01-13 03:47:07 +0000 (Sun, 13 Jan 2008)
Log Message:
Revert r29671, it was based on a misunderstanding of the purpose of the
LoggedOut cookie. The LoggedOut cookie is there to suppress the client-side cache, not the server-side cache. It prevents privately cached logged-in pages from being displayed after the user logs out. Feel free to special-case it in squid if you're worried about the server-side cache hit ratio, but note that IMS requests would need special handling.
- Credential data in the session is destroyed, so the session is
harmless. But it is still useful for abuse tracking (logout/login sequences) and similar analysis.
- Not much point in removing the username persistence feature if you
can't improve the squid cache hit ratio, which was obviously your goal.
Users may want to prevent their user name from appearing in the login box (or in a cookie, anyway), in public places or anywhere. The UserName cookie should be deleted when logging out. I think the LoggedOut cookie and the session are harmless, though.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 1/13/08, Rotem Liss rotemliss_net@fastmail.fm wrote:
Users may want to prevent their user name from appearing in the login box (or in a cookie, anyway), in public places or anywhere. The UserName cookie should be deleted when logging out. I think the LoggedOut cookie and the session are harmless, though.
In such public places, you would want to delete *all* cookies when logging out. By that logic we should save no cookies at all when logging out. Rather, the user should delete all the cookies if they're concerned about this (and if it's a public place, the browser should be configured to do this automatically).
I would agree with you if it were sensitive information, of course. But honestly, it's not a huge deal that their username shows up in the login box, so I think it's best to go with what's best for most users.
wikitech-l@lists.wikimedia.org