https://bugzilla.wikimedia.org/show_bug.cgi?id=44327
Web browser: ---
Bug ID: 44327
Summary: Anonymous users have identifying cookies
Product: MediaWiki
Version: 1.21-git
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: Unprioritized
Component: General/Unknown
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Classification: Unclassified
Mobile Platform: ---
There has already been some good discussion on the mailing list:
http://comments.gmane.org/gmane.science.linguistics.wikipedia.technical/65913
I consider this a serious issue because we are infringing on anonymous users'
anonymity.
1) Anonymous users are given a 1-year cookie which uniquely identifies them.
After logging out and clearing all cookies from my browser, I visited
en.wikipedia.org and received this cookie. Why would an anonymous user be
given an identifying token?
> mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18 Dec 2013
> 18:25:38 GMT; path=/; domain=en.wikipedia.org
2) Anonymous users are enrolled in clicktracking. I was surprised because the
extension page at http://www.mediawiki.org/wiki/Extension:ClickTracking
specifies that it affects "users", and I think it should very explicitly state
that it affects "logged-in users and anonymous visitors" if that is really the
intention.
> clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/;
> domain=en.wikipedia.org
3) Registered user's cookies are not cleared at logout. This seems like a
pretty basic fix.
> enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/;
> domain=en.wikipedia.org; Secure; HttpOnly
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
