Page MenuHomePhabricator
Create Task
Maniphest T33639

MediaWiki should use ETags instead of Last-Modified and the Logged out cookie hack
Open, MediumPublicFeature
Actions

Description

Right now MediaWiki supports browser caching of pages for both logged in and anonymous users through the Last-Modified header. MediaWiki uses a Loggedout cookie hack to prevent anons from being served a bad cache from when they were logged in. However there are a number of problems:

  • As a result of the logged out cookie, after you log out, for quite some time you are served 200 responses instead of proper 304's. In other words, even if you're capable of viewing a cache and your browser doesn't have a stale user cache in it you still won't get a cached page back. This means that logging in and then logging back out will make your wiki viewing potentially slower than being logged in.
  • As another result of the logged out cookie, even though you're an anon, you continue to bypass squid caches in most configurations and don't get the advantage of seeing the same efficiently cached pages as all the other anons.
  • And to top it off, the logged out cookie hack doesn't solve the issue in the other direction. You can view a page, get a Last-Modified header back, log in, go back to the page, and get a 304 that tells your browser to load it's cached page of you logged out instead of the proper one with your logged in interface.

The only way to fix all these troubles is to drop the Logged out cookie hack and instead use ETags which include info about the user so that when a user logs out, logs in, has their talkpage edited (because we want notifications to be sent), changes ip (if they're an anon and their ip address is being shown in the header), etc... the ETag's contents will change.

There's an interesting note about ETags. Browsers can send multiple ETags in their If-None-Match header. As a result a browser can actually have a logged out version and one (or maybe more) logged in versions of a page in their cache. If you view a page, log in, view it again, and log back out, when you go back to the page even though you viewed it with a different ETag and a different cached page, you could potentially end up getting a 304 because you still had a cached version for logged out users ;).

Version: unspecified
Severity: enhancement

Details

Reference
bz31639

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:54 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz31639.
bzimport added a subscriber: Unknown Object (MLST).
DanielFriesen created this task.Oct 12 2011, 5:20 AM
brion added a comment.Oct 13 2011, 4:31 PM

Sounds plausible... after a logout or session timeout (which the logout cookie doesn't currently handle), coming back will ask for the page with your last-seen logged-in etag... the caching proxies don't have it cached since it's set for local-only, so pass it on to the backend app servers. MediaWiki then checks the etag and sees that it doesn't match the user id now active in your session (if any), and kicks back an anonymous page, with the anonymous etag.

Might need to distinguish between 'session but not logged in' and 'no session and not logged in'.

DanielFriesen added a comment.Oct 13 2011, 4:56 PM

(In reply to comment #1)

Might need to distinguish between 'session but not logged in' and 'no session
and not logged in'.

For anons we could include say the first 4 characters of an md5 of the session id in the ETag if there is a session.

Krinkle subscribed.May 8 2015, 4:27 AM
Krinkle added a project: MediaWiki-User-Interface.May 8 2015, 4:41 AM
Krinkle set Security to None.
Krinkle edited subscribers, added: ori; removed: Unknown Object (MLST).
Nemo_bis added a project: OKR-Work.Mar 13 2016, 10:14 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 10:14 AM
Tgr mentioned this in T142542: LoggedOut cookie not set anymore.Aug 15 2016, 6:40 PM
Krinkle edited projects, added Performance-Team; removed OKR-Work, MediaWiki-General.May 4 2019, 3:18 PM
kchapman moved this task from Inbox, needs triage to Radar on the Performance-Team board.May 6 2019, 8:04 PM
kchapman edited projects, added Performance-Team (Radar); removed Performance-Team.
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.Jul 30 2019, 12:11 AM
Jdlrobson added a project: MediaWiki-libs-BagOStuff.Jan 13 2021, 5:54 PM
Krinkle moved this task from General to HTTP Cache on the MediaWiki-libs-BagOStuff board.Apr 2 2021, 8:59 PM
Krinkle closed subtask T49529: MediaWiki should check ETags as Declined.Apr 2 2021, 9:04 PM
Krinkle mentioned this in T279205: Harden and improve HTTP cache headers and purging in MediaWiki core (Sprint placeholder) .Apr 2 2021, 9:25 PM
Ciencia_Al_Poder subscribed.Sep 13 2021, 9:43 PM
Krinkle edited projects, added MediaWiki-Core-HTTP-Cache; removed MediaWiki-libs-BagOStuff.Jan 22 2022, 11:16 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 12:24 PM
Krinkle removed a project: Performance-Team (Radar).Aug 18 2023, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL