Page MenuHomePhabricator
Create Task
Maniphest T54079

remove token logging, or change to sessionId cookie
Open, MediumPublic
Actions

Description

When Campaign logs a ServerSideAccountCreation event, it still logs the 'mediaWiki.user.id' cookie as the token field.

As https://meta.wikimedia.org/wiki/Schema_talk:ServerSideAccountCreation#event_token_changes says, client-side code no longer sets this long-lived cookie since T46327: mediawiki.user: Anonymous users should not be identifiable cross sessions was fixed in May 2013. Instead if mw.user.id() is called it sets a 'mediaWiki.user.sessionId' cookie.

Depending on need and privacy policy, Campaign could be changed to not log token, or to log the new 'mediaWiki.user.sessionId' cookie. FYI account creation does not currently set either cookie; the current callers of mw.user.id() are AFT, AFTv5, and UniversalLanguageSelector.

Many events still have a non-blank token (30% of all enwiki and dewiki account creations). Apparently people are creating accounts in browsers that set this cookie months ago.

Version: master
Severity: minor

Details

Reference
bz52079

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:50 AM
bzimport added a project: MediaWiki-extensions-Campaigns.
bzimport set Reference to bz52079.
Spage created this task.Jul 26 2013, 4:53 AM
Spage removed Spage as the assignee of this task.Nov 27 2014, 2:07 AM
Spage set Security to None.
Mattflaschen-WMF updated the task description. (Show Details)Dec 2 2014, 12:03 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL