1) This I have no idea about, but it's definitely not in the core, because my test wiki doesn't set this cookie. It has to be an extension.
2) "users" does not imply "logged-in users". The extension page says it tracks users' clicks, which is accurate as that is exactly what it does. If it meant to say only logged in users, it would have said that. However, it may be wise for a functionality to be introduced in that extension that does actually restrict clicktracking to only logged in users if configured that way. On the other hand, this isn't a privacy issue since it does not associate the user's tracking with their identity in any way (even when logged in, the clicktracking session is separate from their actual session).
3) That is done on purpose. It's a convenience feature. Notice how when you logout and then go back to the login page that your username is already filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify the user.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Dec 18, 2012 at 1:57 PM, Adam Wight awight@wikimedia.org wrote:
I've been digging around in our cookie jar, as part of my work with Fundraising, and I have a few questions about the cookies we set on anonymous users.
First, I am deeply impressed with the care we have taken to respond to the community's privacy concerns, and after first-hand experience negotiating with our lawyers to implement an additional cookie, I think that WMF deserves its place as a model to the rest of the internet. I would like to help clean up or at least explain the few oversights I identify below, so that we can be fully confident that we are doing everything we can to prevent abuse of our visitors' privacy.
- Anonymous users are given a 1-year cookie which uniquely identifies
them. After logging out and clearing all cookies from my browser, I visited en.wikipedia.org and received this cookie. Why would an anonymous user be given an identifying token?
mediaWiki.user.id=**oDNtHcMSeGMSZyRehhuC7ypQRuPEGk**3a; expires=Wed, 18 Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
- Anonymous users are enrolled in clicktracking. I was surprised because
the extension page at http://www.mediawiki.org/wiki/** Extension:ClickTrackinghttp://www.mediawiki.org/wiki/Extension:ClickTrackingspecifies that it affects "users", and I think it should very explicitly state that it affects "logged-in users and anonymous visitors" if that is really the intention.
clicktracking-session=**0orJJTU79otWR6x1m8ykUAyasVpZJB**n2x; path=/; domain=en.wikipedia.org
- Registered user's cookies are not cleared at logout. This seems like a
pretty basic fix.
enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; domain=en.wikipedia.org; Secure; HttpOnly
Ideally, an anonymous user, whether or not they have ever been logged in as a registered user, will not transmit any personally identifying information in their requests. All three of these cookies violate that principle. I have not found any public debate on the issue, hopefully others are interested in this topic.
Regards, Adam Wight
______________________________**_________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l