tylerromeo at gmail
Dec 18, 2012, 12:28 PM
Post #2 of 11
1) This I have no idea about, but it's definitely not in the core, because
my test wiki doesn't set this cookie. It has to be an extension.
2) "users" does not imply "logged-in users". The extension page says it
tracks users' clicks, which is accurate as that is exactly what it does. If
it meant to say only logged in users, it would have said that. However, it
may be wise for a functionality to be introduced in that extension that
does actually restrict clicktracking to only logged in users if configured
that way. On the other hand, this isn't a privacy issue since it does not
associate the user's tracking with their identity in any way (even when
logged in, the clicktracking session is separate from their actual session).
3) That is done on purpose. It's a convenience feature. Notice how when you
logout and then go back to the login page that your username is already
filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail
On Tue, Dec 18, 2012 at 1:57 PM, Adam Wight <awight [at] wikimedia> wrote:
> I've been digging around in our cookie jar, as part of my work with
> Fundraising, and I have a few questions about the cookies we set on
> anonymous users.
> First, I am deeply impressed with the care we have taken to respond to the
> community's privacy concerns, and after first-hand experience negotiating
> with our lawyers to implement an additional cookie, I think that WMF
> deserves its place as a model to the rest of the internet. I would like to
> help clean up or at least explain the few oversights I identify below, so
> that we can be fully confident that we are doing everything we can to
> prevent abuse of our visitors' privacy.
> 1) Anonymous users are given a 1-year cookie which uniquely identifies
> them. After logging out and clearing all cookies from my browser, I
> visited en.wikipedia.org and received this cookie. Why would an
> anonymous user be given an identifying token?
>> mediaWiki.user.id=**oDNtHcMSeGMSZyRehhuC7ypQRuPEGk**3a; expires=Wed, 18
>> Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
> 2) Anonymous users are enrolled in clicktracking. I was surprised because
> the extension page at http://www.mediawiki.org/wiki/**
> Extension:ClickTracking<http://www.mediawiki.org/wiki/Extension:ClickTracking>specifies that it affects "users", and I think it should very explicitly
> state that it affects "logged-in users and anonymous visitors" if that is
> really the intention.
>> clicktracking-session=**0orJJTU79otWR6x1m8ykUAyasVpZJB**n2x; path=/;
> 3) Registered user's cookies are not cleared at logout. This seems like a
> pretty basic fix.
>> enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/;
>> domain=en.wikipedia.org; Secure; HttpOnly
> Ideally, an anonymous user, whether or not they have ever been logged in
> as a registered user, will not transmit any personally identifying
> information in their requests. All three of these cookies violate that
> principle. I have not found any public debate on the issue, hopefully
> others are interested in this topic.
> Adam Wight
> Wikitech-l mailing list
> Wikitech-l [at] lists
Wikitech-l mailing list
Wikitech-l [at] lists