Page MenuHomePhabricator

Don't retrieve edit token (or any other type of tokens) on article view
Closed, ResolvedPublic

Description

Per Asher, this result in session creation for anon users and their requests bypassing frontend caches. Marking as blocker as this prevents us from deploying new code (which retrieves even more tokens).


Version: unspecified
Severity: blocker
URL: https://mingle.corp.wikimedia.org/projects/mobile/cards/450

Details

Reference
bz41519

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 12:54 AM
bzimport set Reference to bz41519.

We can certainly turn these off for anonymous users by attaching a class to the html tag for logged in users (provided that doesn't effect caching)

However I'd be very surprised if the large increase in the amount of session creation is due to watch and edit token requesting since this is limited to beta.

Talking to Patrick he said it was mostly due to the CSRF requests caused in non-beta

Mobile token has been mostly killed with https://gerrit.wikimedia.org/r/30812
Other tokens aren't retrieved for anons as of https://gerrit.wikimedia.org/r/#/c/30806/

Session is now initialized for anons only when they visit Special:MobileOptions - for CSRF protection, however usual reading shall not create any cache-bypassing cookies now.

Still a pointless request on every logged-in page view:

GET /w/api.php?format=json&action=tokens&type=watch

Should be fixed during our performance sprint.