Page MenuHomePhabricator
Create Task
Maniphest T223931

Switch mw.user.sessionId back to session-cookie persistence
Closed, ResolvedPublic
Actions

Description

As part of an effort to improve web performance, in 2017 I migrated the persistence of the EventLogging-related "session ID" from being stored in an HTTP session-cookie, to being stored in HTML5 Session Storage.

This "session ID" is an anonymous token temporarily assigned to a user viewing a specific website (e.g. en.wikipedia.org), unrelated to their account (if they have one), and not coordinated between wikis.

When using an HTTP session cookie:

  • It expires at the end of the browsing session (e.g. when you close the browser and don't use the "restore session" feature some browsers have), or when browsers delete them to free up space by removing cookies from sites you haven't visited recently (e.g. after 7 days in case of Safari).
  • For as long as it has not expired, it is the same between different tabs to the same website.
  • It is sent to the server (and ignored there) because the Cookie transportation mechanism does not have a way to be "JS-only" (it does have HTTP-only, which we cannot use here).

When using HTML5 sessionStorage:

  • It expires with the lifetime of a single logical browsing "tab". They live for as long as the tab is alive in some form or another. Going from one page to another within the same website within the same tab, is still the same "tab". You can also go to a different website in that tab, and then use the "Back" and "Forward" mechanisms to revisit the old page in the same tab, and still associate the same HTML session. In most browsers, one can also re-open a closed tab within a limited time from the History menu. When closing a browser complete there is not a way to restore it usually. Not even when "restoring the browser session".
  • It is never shared between tabs to the same website. While this restriction might sound interesting from a privacy perspective, it seems to me not useful and not matching user expectation. When a user is logged-in (which uses cookies), they are logged in in all tabs for that website, not just the tab where they logged-in. They can open additional tabs via bookmarks or context menus and expect that to span the same session. This makes HTML5 session storage not useful for A/B testing and other EventLogging purposes.

The reason for migrating it in 2017 was to reduce network traffic (bandwidth cost for users) between browser and server for information only never needed on the browser. The session cookies, while having all the correct behaviours we want, are also sent to the server, which adds a cost that negatively impacts performance.

It was my (incorrect) understanding that HTML5 session storage is like HTTP cookie sessions, except without the cost of HTTP transfers.

Proposal

Migrate the storing mechanism for this token back from HTML5 session storage to HTTP session cookies. This is technically a simple task to do.

Stakeholder approval

Check the box if this change is desirable for your team, and if you have concerns about when to deploy it (e.g. not during a particular research campaign), also let us know in the comments below when you'd prefer this to (not) roll out.

  • Performance Team (implied).
  • Analytics.
  • Product Analytics

See also

Details

SubjectRepoBranchLines +/-
mediawiki.user: Switch sessionId() back to session-cookie persistencemediawiki/coremaster+27 -17
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Krinkle triaged this task as Medium priority.May 20 2019, 7:22 PM
Krinkle updated the task description. (Show Details)
Krinkle moved this task from Inbox, needs triage to To-do: Goals, prioritized next 4 Quarters on the Performance-Team board.
Krinkle added a subscriber: Nuria.
fdans added subscribers: Miriam, fdans.Jun 3 2019, 4:04 PM

cc @Miriam

fdans added a project: Research.Jun 3 2019, 4:04 PM
fdans moved this task from Incoming to Radar on the Analytics board.
Nirmos added a subscriber: Nirmos.Jun 6 2019, 10:26 AM
leila edited projects, added Research-Freezer; removed Research.Jul 11 2019, 3:50 PM
Krinkle updated the task description. (Show Details)Sep 10 2019, 6:50 PM
jlinehan added a project: Better Use Of Data.Sep 10 2019, 6:50 PM
jlinehan added a subscriber: jlinehan.
jlinehan moved this task from Inbox to Backlog on the Better Use Of Data board.Oct 11 2019, 1:04 PM
kzimmerman moved this task from Triage to Needs Investigation on the Product-Analytics board.Oct 28 2019, 8:48 PM
LGoto edited projects, added Product-Analytics (Kanban); removed Product-Analytics.Nov 15 2019, 6:24 PM
LGoto moved this task from Next 2 weeks to Blocked on the Product-Analytics (Kanban) board.
Nuria added a comment.Nov 15 2019, 8:28 PM

I think (if Performance-Team agrees) this work can be done by @jlinehan as part of the efforts we are doing for the Modern Event Platform work.

jlinehan added a comment.EditedNov 15 2019, 8:45 PM
In T223931#5668049, @Nuria wrote:

I think (if Performance-Team agrees) this work can be done by @jlinehan as part of the efforts we are doing for the Modern Event Platform work.

Happy to do it, if there's approval from Performance-Team.

@Krinkle it seems like HTML5 localStorage (link), which does not expire on tab closure, and is available to all tabs, would deal with the shortcomings of HTML5 sessionStorage while still keeping the data it's persisting off the wire. Is my understanding correct that the reason why localStorage is considered unsuitable is due to its lack of any TTL mechanism?

Nuria added a comment.Nov 15 2019, 9:19 PM

it seems like HTML5 localStorage (link), which does not expire on tab closure, and is available to all tabs, would deal with the shortcomings of HTML5

Problem is that localStorage does not work for browsers such UC browser for which we get many pageviews (millions a day). https://caniuse.com/#search=Localstorage

Some of the browsers that do not support localstorage also are below grade A in MW javascript support. See: https://github.com/wikimedia/mediawiki/blob/2aed14b686/resources/src/startup/startup.js#L39 but not all, so * I think* storing on a cookie is a requirement.

jlinehan added a comment.Nov 15 2019, 9:35 PM
In T223931#5668164, @Nuria wrote:

Problem is that localStorage does not work for browsers such UC browser for which we get many pageviews (millions a day). https://caniuse.com/#search=Localstorage

Aha. And KaiOS browser support is unknown too, I see. What a shame. I wonder if it's actually unsupported (I assume it is) or there really is just no data. I see that the caniuse numbers look the same for sessionStorage https://caniuse.com/#search=sessionstorage, I assume this was another reason to return to using cookies here.

jlinehan added a project: Product-Infrastructure-Team-Backlog-Deprecated.Nov 18 2019, 1:40 PM
Ottomata assigned this task to Milimetric.Nov 18 2019, 4:50 PM
Ottomata raised the priority of this task from Medium to High.
Ottomata added a project: Analytics-Kanban.
Ottomata moved this task from Radar to Data Quality on the Analytics board.
Milimetric moved this task from Next Up to In Progress on the Analytics-Kanban board.Nov 19 2019, 4:32 AM
jlinehan moved this task from Backlog to Done! on the Better Use Of Data board.Nov 19 2019, 5:31 PM
leila removed a project: Research-Freezer.Nov 20 2019, 12:24 AM
LGoto moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Nov 20 2019, 4:49 PM
mforns moved this task from In Progress to Paused on the Analytics-Kanban board.Nov 25 2019, 5:26 PM
Nuria added a comment.Dec 2 2019, 6:55 AM

Uassigning @Milimetric and lowering priority a bit in the light of other (completely unrelated work) we need to do

Nuria removed Milimetric as the assignee of this task.Dec 2 2019, 6:56 AM
Nuria removed a project: Analytics-Kanban.
Nuria added a subscriber: Milimetric.
mpopov signed these changes with MFA.Dec 5 2019, 9:31 PM
mpopov added a subscriber: mpopov.

Okay, if localStorage is out of the discussion (due to lack of expiration setting and full browser support) and our options are sessionStorage (current status quo) and session cookies (proposed), we should definitely switch back to using session cookies. Not having a cross-tab mw.user.sessionId is a major hindrance to analysis of sessions on the web.

jlinehan added a comment.EditedDec 6 2019, 5:07 PM

Hey @Nuria, @Krinkle, I think it will be simple to patch this, my understanding from looking at the Mediawiki code is that we already have the code to work with cookies from the mw.cookie module. So the patch here is to the mw.user module, correct? (specifically mw.user.sessionId). Can I ask why this feature lives in mw.user? If there are other modules besides EventLogging that depend on it, then they should also be informed since session cookies will alter the persistence behavior vs sessionStorage. If there are no other modules depending on it, why is it in mw.user?

Nuria added a comment.Dec 6 2019, 5:17 PM

@jlinehan We have too many balls up in the air now that need code reviews, let's pick this patch up when https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/EventLogging/+/524575/ and https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/553376/ have been merged and are working in vagrant.

mpopov closed subtask T238434: Identify next steps needed for Product Analytics to approve switching mw.user.sessionId back to session-cookie persistence as Resolved.Dec 9 2019, 5:53 PM
nshahquinn-wmf added a subscriber: nshahquinn-wmf.Jan 20 2020, 3:33 PM
phuedx added a subscriber: phuedx.Jan 20 2020, 3:36 PM
mpopov updated the task description. (Show Details)Feb 10 2020, 7:12 PM
mpopov assigned this task to jlinehan.Feb 10 2020, 7:15 PM
mpopov edited projects, added Product-Analytics; removed Product-Analytics (Kanban).
mpopov moved this task from Needs Investigation to Current Quarter on the Product-Analytics board.

Jason and I talked about picking this up this quarter

jlinehan moved this task from Tracking to Kanban on the Product-Infrastructure-Team-Backlog-Deprecated board.Feb 11 2020, 4:37 PM
jlinehan edited projects, added Product-Infrastructure-Team-Backlog-Deprecated (Kanban); removed Product-Infrastructure-Team-Backlog-Deprecated.
jlinehan moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
gerritbot added a comment.Feb 13 2020, 3:42 PM

Change 572011 had a related patch set uploaded (by Bearloga; owner: Bearloga):
[mediawiki/core@master] Switch mw.user.sessionId back to session-cookie persistence

https://gerrit.wikimedia.org/r/572011

gerritbot added a project: Patch-For-Review.Feb 13 2020, 3:42 PM
mpopov claimed this task.Feb 13 2020, 3:44 PM
mpopov moved this task from Doing to Code Review on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.
mpopov edited projects, added Product-Analytics (Kanban); removed Product-Analytics.
mpopov moved this task from Blocked to Doing on the Product-Analytics (Kanban) board.
mpopov added a comment.Feb 13 2020, 3:49 PM

@Nuria: Can you please sign-off in the ticket description as the Analytics stakeholder if you agree with Timo and the change that's been uploaded? Session ID should behave in the way we expect it to, which is to say the JS-based session cookie solution that allows it to be shared by tabs and is restricted to the lifetime of the browser session gets us there (and returns to how it used to be).

Nuria added a comment.Feb 13 2020, 4:27 PM

Are we using js-based cookies or non-js-based cookies?

Nuria added a comment.Feb 13 2020, 4:27 PM

Question for @Krinkle mostly

Krinkle added a comment.Feb 13 2020, 4:29 PM

JS-based. mw.user is a JavaScript module that runs client-side and generates these IDs by computing random tokens with the Web Crypto API. The computation and storing as cookie happens lazily when event instrumentation code first needs the ID and it isn't already set.

Isaac added a subscriber: Isaac.Feb 14 2020, 5:42 PM
mpopov moved this task from Doing to Needs Review on the Product-Analytics (Kanban) board.Feb 18 2020, 6:42 PM
mpopov moved this task from Done! to Tracking on the Better Use Of Data board.
gerritbot added a comment.Feb 19 2020, 7:19 PM

Change 572011 merged by jenkins-bot:
[mediawiki/core@master] mediawiki.user: Switch sessionId() back to session-cookie persistence

https://gerrit.wikimedia.org/r/572011

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.21; 2020-02-25).Feb 19 2020, 8:00 PM
Nemo_bis added a subscriber: Nemo_bis.Feb 19 2020, 9:35 PM
mpopov moved this task from Code Review to To Deploy on the Product-Infrastructure-Team-Backlog-Deprecated (Kanban) board.Feb 19 2020, 10:14 PM
mpopov edited projects, added Product-Analytics; removed Product-Analytics (Kanban), Patch-For-Review.

Thanks @jlinehan for announcing the change to product-all@, research-internal@lists, and analytics@lists

nshahquinn-wmf awarded a token.Feb 19 2020, 11:06 PM
Tgr mentioned this in T243632: Newcomer tasks: variant group and event alignment issues.Feb 19 2020, 11:14 PM
Krinkle closed this task as Resolved.Feb 22 2020, 6:18 PM
Krinkle mentioned this in T121646: Document usage policy for LocalStorage in MediaWiki code.May 20 2020, 6:11 PM
TheDJ added a subscriber: TheDJ.Apr 6 2021, 3:45 PM

Shouldn't this cookie have been added to https://foundation.wikimedia.org/wiki/Cookie_statement ???

Ciencia_Al_Poder added a subscriber: Ciencia_Al_Poder.Apr 6 2021, 3:54 PM
Krinkle reopened this task as Open.Apr 6 2021, 11:07 PM
In T223931#6976622, @TheDJ wrote:

Shouldn't this cookie have been added to https://foundation.wikimedia.org/wiki/Cookie_statement ?

Maybe. I am not a laywer, but as far as I know that page and relevant legislation applies to cookies and other forms of client storage more or less equally (e.g. Local Storage, IndexedDB etc.).

This feature was not listed there, so perhaps it was already forgotten back when it did use a cookie. Either way, if it is listed there, I don't think it needs any change since the expiry would continue to be "When user exits browser". Some of the features that moved from Cookies to Local Storage were highlighted as such on that page, but only because they used a special kind of expiry, not because they used LocalStorage itself instead of a cookie. (And the SessionStorage variant of LocalStorage is basically equivalent to Session cookie, which is what this feature used until recently.)

mpopov removed mpopov as the assignee of this task.May 13 2021, 8:11 PM
mpopov moved this task from Current Quarter to Tracking on the Product-Analytics board.Jun 1 2021, 5:16 PM
kzimmerman added a project: Metrics Platform Backlog.Jun 1 2021, 6:57 PM
kzimmerman added subscribers: DAbad, kzimmerman.

@DAbad @jlinehan this came across my team's radar again as we were going through our backlog, and I wanted to flag the recent comments above (https://phabricator.wikimedia.org/T223931#6976622, https://phabricator.wikimedia.org/T223931#6978412) for your attention

DAbad added a comment.EditedJun 30 2021, 3:10 PM

Need to reach out to Legal to figure out the next steps to determine if something needs to be done.

Basically do we need to document this in the cookie statement?

JL: probably yes

Who maintains the cookie statement page?

DAbad assigned this task to jlinehan.Jun 30 2021, 3:14 PM
jlinehan moved this task from Backlog to To be discussed on the Metrics Platform Backlog board.Jul 26 2021, 4:33 PM
MSantos removed a project: Product-Infrastructure-Team-Backlog-Deprecated (Kanban).Aug 17 2021, 2:33 PM
nshahquinn-wmf added a comment.Feb 28 2022, 11:23 PM

It would be helpful to close this task and open a separate one for the possible change to the cookie statement. I was just looking up the behavior of mw.user.sessionId and assumed it didn't have session-cookie persistence because this task was open. It was only the next day that I realized I was wrong, after I saw some conflicting documentation and looked at the source.

Aklapper removed jlinehan as the assignee of this task.Jul 25 2022, 9:12 AM
Aklapper added a subscriber: Aklapper.

Removing inactive assignee from this open task. (Please update assignees on open tasks after offboarding. Thanks.)

Krinkle closed this task as Resolved.Jul 25 2022, 7:47 PM
Krinkle claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL