Hmm ... see in-lined.
On Oct 12, 2005, at 14:04, Brion Vibber wrote:
Johannes Ernst wrote:
I'm trying to understand the purpose of the
LoggedOut cookie. I have
two problems:
1) The comments state that it is in order to assist with caching /
refreshing the right information. However, the cookie is only set
(well, can only be set) if the user logs out very explicitly by
clicking the log out button. I suspect, many users will not do that,
e.g. by quitting the browser or abandoning the current session,
leaving
that cookie absent or holding the wrong value. How useful can this
mechanism be -- but see next question -- if many/most people do
not /
will not activate it?
It's useful because it cuts down on complaints of the form:
"I logged out, but I went to a page and it logged me right back in!
But
then I tried to edit and it logged me out again!"
Okay, I understand how this could occur and why users would be upset.
However, couldn't the same effect be accomplished simply by removing
the session cookie? If I understand HTTP caching correctly -- well,
that may mean nothing because my knowledge on that subject is cursory
-- then pages are only supposed to be cached if the cookie
information is the same. Removing the session cookie would accomplish
this, just like adding the LoggedOut cookie does?
2) Based on
looking at the code, I'm not certain that the caching
behavior implemented with the LoggedOut cookie really works. Also, I
don't recall having ever seen a similar mechanism with any other
website. Is there any Wikipedia-specific functionality that can
only be
accomplished with this cookie that somehow I don't see?
MediaWiki tries to let the client cache wiki pages in order to speed
things up when clicking around to pages you've already been at; from
what I've seen most dynamic sites don't bother with this, so they may
not require particular handling of the logut case.
When you revisit a page, the client sends an If-Modified-Since header
with the value of the Last-Modified header sent from the server on the
previous visit.
The wiki compares this time against:
* a global cache invalidation timestamp ($wgCacheEpoch)
* the page_touched field for the page; updated on edit and on
modification of linked resources that would change rendering
* the user_touched field for the user; updated on login, logout,
change
of preferences, addition to the talk page, clearing of the new talk
flag, changes to the watchlist
If the given time postdates all those, then a '304 Not Modified'
response is sent; the page doesn't have to be rendered or transferred
over the network and it's displayed more quickly to the user.
If the given time is older than any of those, then it means something
may have changed that alters how the output should appear; it's
re-rendered and HTML gets sent down the wire.
Now, if you log out then the user_touched timestamp isn't exactly
applicable; there's no account connected to the session.
Ah! Here seems to be the poodle's core... In other words, the
LoggedOut cookie captures information (the time of log out) that is
associated with this particular user, although the user has decided
to log out ...
Setting a
cookie is a way to force that, and let the wiki know that a cached
page
from before the logout should be rerendered.
Let me ask the other way around. Why wouldn't the following, much
simplified scenario work:
- there is only one cookie, xxx_session that is ever set by MediaWiki
- it is set as a result of a successful authentication
- is removed as a result of a log out.
- caching / re-rendering is performed strictly based on the cookie
value and the modification times of the page
There may be information that needs to be tracked on a per-user basis
even for anonymous users (I just say that, I don't know. Is there?)
so user Anonymous 1 can be distinguished from Anonymous 2. If there
is, that information could also be held by a (really different)
session cookie which is created when the user logs off and removed
when the user logs on. In order for the If-modified-since to work, it
probably would have to have a different value than when the user was
still logged on.
(I'm also not sure why the xxxUserName cookie is needed -- it stays
around after logout -- isn't that a privacy problem? With automatic
form-fill in the newer browsers, that should not really be necessary?
But that's a different question)
It doesn't handle the timeout / quit browser case,
no, but that
doesn't
matter too much. It's there to handle the "OMFG I'm still logged in
even
though I logged out!!!!!!1111eleven" case.
-- brion vibber (brion @
pobox.com)
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Johannes Ernst
http://netmesh.info/jernst