On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
This way it will work for users without cookies (Maybe
none exist, but I
like the idea you can edit wikipedia without cookies)
There have been people who disabled cookies and still wanted to be able to
use the sites.
and for users who have rapidly changing IPs.
Well, only after they manage to get a session cookie set. I see the patch
there attempts to account for that by creating a session on token failure
via HTMLForm, which is good, although there are other code paths that would
need the same sort of thing (e.g. API token checks).
It will also have minimal breakage, as you won't
have to adjust any
existing usages of tokens (For example, on special pages).
Note it will affect scripts and API clients that expect to see "+\" as the
token as a sign that they're logged out, or worse assume that's the token
and don't bother to fetch it.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation