Page MenuHomePhabricator
Create Task
Maniphest T267217

MediaWiki Session ID should have per-subdomain and cross-subdomain variants
Open, LowPublic
Actions

Description

For many purposes, e.g. content translation, we expect a user session to span multiple projects. Currently, we prefix all cookies by the dbname and its domain is defaulted to the current domain.

To have a cookie used on all subdomains, we would need to specify overrides for these defaults when storing the ID using mw.cookie.

In addition to the current wiki-specific session ID ("mwuser-sessionId"), we should have a cross-subdomain session ID (e.g. "xsd-sessionId", idk) that can be used in cases like Content Translation analytics.

Related Objects
Search...

Event Timeline

jlinehan created this task.Nov 4 2020, 2:13 PM
jlinehan renamed this task from MediaWiki Session ID is shared across subdomains to MediaWiki Session ID should be shared across subdomains.Nov 4 2020, 2:18 PM
mpopov renamed this task from MediaWiki Session ID should be shared across subdomains to A shared session ID across subdomains.Nov 4 2020, 2:23 PM
mpopov updated the task description. (Show Details)
jlinehan renamed this task from A shared session ID across subdomains to MediaWiki Session ID should have per-subdomain and cross-subdomain variants.Nov 4 2020, 2:25 PM
mpopov updated the task description. (Show Details)Nov 4 2020, 2:28 PM
mpopov updated the task description. (Show Details)

Just want it noted that if we can have cross-domain (not just cross-subdomain) session ID (e.g. track a session across Wikipedia languages, Wikimedia Commons, Wikidata, Wikivoyage languages, etc.) that would be AMAZING.

Aklapper added a comment.Nov 4 2020, 2:35 PM

@jlinehan: In which codebase would such changes have to take place?

sdkim moved this task from Inbox to Task Backlog on the Product-Data-Infrastructure board.Nov 16 2020, 4:22 PM
Aklapper added a project: MediaWiki-User-management.Dec 31 2020, 11:48 PM
taavi subscribed.Dec 31 2020, 11:52 PM
JJMC89 moved this task from Backlog to Other on the MediaWiki-User-management board.Jan 7 2021, 8:38 PM
jlinehan added a project: Better Use Of Data.Feb 8 2021, 4:39 PM
ldelench_wmf added a parent task: T281999: Metrics Platform Schema: Define & Model Event Level Fields.May 10 2021, 3:54 PM
ldelench_wmf added a project: Metrics Platform (Metrics-Platform-MVP-Release-1).May 10 2021, 7:55 PM
DAbad moved this task from Metrics-Platform-MVP-Release-1 to Backlog on the Metrics Platform board.Jul 16 2021, 5:16 PM
DAbad edited projects, added Metrics Platform; removed Metrics Platform (Metrics-Platform-MVP-Release-1).
DAbad subscribed.Jul 26 2021, 4:33 PM

Based on grooming:

  • not something we need to put in MVP until we have extra time
  • not a blocker to MVP
jlinehan triaged this task as Low priority.Oct 4 2021, 2:29 PM
Mholloway unsubscribed.Oct 4 2021, 2:55 PM
phuedx removed a parent task: T281999: Metrics Platform Schema: Define & Model Event Level Fields.Oct 24 2024, 3:22 PM
phuedx subscribed.Oct 24 2024, 3:31 PM

☝️ We're using the per-project session ID for now. We settled on and have continued to iterate on a model, which is flexible enough that we could integrate a new cross-subdomain session ID in future.

phuedx edited projects, added Test Kitchen; removed Better Use Of Data, Product-Data-Infrastructure.Oct 28 2024, 12:10 PM
phuedx removed subscribers: DAbad, jlinehan.
phuedx mentioned this in T281999: Metrics Platform Schema: Define & Model Event Level Fields.Oct 28 2024, 12:58 PM
mforns moved this task from Incoming to NEEDS ESTIMATION on the Test Kitchen board.Nov 19 2024, 4:01 PM
VirginiaPoundstone moved this task from NEEDS ESTIMATION to NEEDS DISCUSSION on the Test Kitchen board.Jan 6 2025, 9:42 PM
VirginiaPoundstone removed a project: Metrics Platform.Jan 21 2025, 3:47 AM
Milimetric moved this task from NEEDS DISCUSSION to Incoming on the Test Kitchen board.Jun 3 2025, 3:42 PM
phuedx added a comment.Jun 19 2025, 11:43 AM

IIRC @mpopov and I discussed this in Slack some time ago and arrived at a potential solution: Have Varnish derive one or more session cookies from Edge Unique cookie, e.g.

$crossDomainSessionCookie = hash( $edgeUnique, $secret );
$perDomainSessionCookie = hash( $domain, $crossDomainSessionCookie );

We could even extend this to per-interval session cookies:

// e.g. 2025-06-17 16
$hour = date( 'Y-m-d H' );

$perHourCrossDomainSessionCookie = hash( $hour, $crossDomainSessionCookie );
$perHourDomainSessionCookie = hash( $hour, $perDomainSessionCookie );

Like the Edge Unique cookie, the cookies would be shared across 2LDs – enwiki and dewiki would receive the same session cookies but not enwiki and commonswiki.

Milimetric subscribed.Nov 20 2025, 4:31 PM

sounds like we'd need to re-vet Edge Uniques design if we derive more IDs from it.

Milimetric moved this task from Incoming to READY TO GROOM on the Test Kitchen board.Nov 20 2025, 4:32 PM
phuedx added a comment.Nov 21 2025, 6:38 PM
In T267217#11393091, @Milimetric wrote:

sounds like we'd need to re-vet Edge Uniques design if we derive more IDs from it.

You're right. My comment wasn't well thought out. I was too focussed on solving a problem. I should have said something like:

Cross-domain-ness here will be achieved by using a cookie because localStorage and sessionStorage are tied to the origin. The Edge Unique cookie has a couple of desirable properties that we'd want to replicate for such a cookie:

  1. It's managed by the server: Session identifiers are generated on the client, which have varying levels of support for and implementations of the Web Crypto API
  2. It's verifiable: We trust session identifiers generated on those clients implicitly
  3. It's 3LD where it counts: The Edge Unique cookie is broadly 2LD but an exception is made for .wikimedia.org subdomains as some of them are hosted by third parties

However, if we did want to create such a cookie, we'd design and implemented it to be totally distinct from the Edge Unique cookie.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits