Page MenuHomePhabricator
Create Task
Maniphest T283881

mw.user.sessionId sometimes returns IDs with 16 characters rather than 20
Closed, ResolvedPublic
Actions

Description

Since the start of May, the event error stream shows about 4,400 events in the UniversalLanguageSelector data stream failing validation because '.event.web_session_id' should NOT be shorter than 20 characters, '.event.web_session_id' should match pattern "^[0-9a-z]{20}$". For context, this is only about 0.05% of all UniversalLanguageSelect events over the same period.

In all the invalid events I checked, the web_session_id was 16 characters rather than 20. I don't know why this would be since mw.user.sessionId should always return a 20 character ID.

This has been happening throughout the past 90 days (the dramatic spike around 30 April is almost certainly because the error rate stayed constant as T275762 dramatically increased the overall event volume). Since T275894 was done more than 90 days ago, we can't see if the error started then, but there's no obvious connection.

This error wouldn't have occurred before T267352, since that step added the 20-character validation for web_session_id, but I doubt it caused the underlying problem of the 16 character IDs.

Details

SubjectRepoBranchLines +/-
mediawiki.user: Validate the cookie in sessionId() before returningmediawiki/coremaster+13 -9
Customize query in gerrit

Related Objects

Event Timeline

nshahquinn-wmf created this task.May 27 2021, 9:22 PM
nshahquinn-wmf mentioned this in T283769: Check Language team data streams after migration to the Event Platform.May 27 2021, 9:24 PM
Jdlrobson assigned this task to ovasileva.Jun 1 2021, 4:58 PM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.
ldelench_wmf moved this task from Triage to Tracking on the Product-Analytics board.Jun 1 2021, 5:05 PM
ldelench_wmf triaged this task as Low priority.Jun 1 2021, 5:07 PM
nshahquinn-wmf added a project: Product-Data-Infrastructure.Jun 1 2021, 9:32 PM
phuedx added a comment.Jun 2 2021, 11:55 AM

This is also occurring for the following data streams:

  • DesktopWebUIActionsClickTracking [0]
  • MobileWebUIActionsClickTracking [1]
  • SearchSatisfaction [2]

I expected this to be the case but I'm glad the data backs it up.

[0]
month	day	n	n_16
5	25	3293252	897
5	26	3229161	919
5	27	3106105	883
5	28	2750182	827
5	29	2306607	778
5	30	2538758	921
5	31	3202681	887

select
  month,
  day,
  sum(1) as n,
  sum(if(char_length(event.token) = 16, 1, 0)) as n_16
from
  desktopwebuiactionstracking
where
  year = 2021
  and month = 5
  and day > 24
group by
  month, day
order by
  day asc
limit 10000
;
[1]
month	day	n	n_16
5	25	223859	8
5	26	220843	0
5	27	218718	0
5	28	216208	2
5	29	230081	3
5	30	242252	0
5	31	222744	1

select
  month,
  day,
  sum(1) as n,
  sum(if(char_length(event.token) = 16, 1, 0)) as n_16
from
  mobilewebuiactionstracking
where
  year = 2021
  and month = 5
  and day > 24
group by
  month, day
order by
  day asc
limit 10000
;
[2]
month	day	n	n_16
5	31	25957827	20686

select
  month,
  day,
  sum(1) as n,
  sum(if(char_length(event.mwsessionid) = 16, 1, 0)) as n_16
from
  searchsatisfaction
where
  year = 2021
  and month = 5
  and day = 31
group by
  month, day
order by
  day asc
limit 10000
;
Jdlrobson added a comment.Jun 10 2021, 11:55 PM

Should we bump the priority of this task?

ovasileva edited projects, added Web-Team-Backlog (Kanbanana-FY-2020-21); removed Web-Team-Backlog.Jun 11 2021, 11:03 AM
nshahquinn-wmf added a comment.Jun 11 2021, 6:40 PM
In T283881#7150411, @Jdlrobson wrote:

Should we bump the priority of this task?

In my opinion, no. As a data consumer, I definitely find this annoying but it's a very small proportion of events (less than 0.1% in all the streams discussed here) so there's no need to deal with it soon.

ovasileva removed ovasileva as the assignee of this task.Jun 14 2021, 5:00 PM
ovasileva subscribed.
phuedx edited projects, added Web-Team-Backlog; removed Web-Team-Backlog (Kanbanana-FY-2020-21).Jun 14 2021, 5:23 PM

I've added a filter to the eventgate-validation Logstash dashboard (Logstashboard?!) that refers to this task. Given T283881#7152241, I'm inclined to either lower the priority of this task to Lowest or decline this task. Regardless, I'm moving this off of Readers Web's kanban board.

phuedx moved this task from Needs Prioritization to unsed on the Web-Team-Backlog board.Jun 14 2021, 5:25 PM
Jdlrobson moved this task from unsed to Tracking on the Web-Team-Backlog board.Jun 14 2021, 6:05 PM
Jdlrobson edited projects, added Web-Team-Backlog (Tracking); removed Web-Team-Backlog.
nshahquinn-wmf removed projects: Language-Team, UniversalLanguageSelector.Jun 14 2021, 6:43 PM
In T283881#7156055, @phuedx wrote:

I've added a filter to the eventgate-validation Logstash dashboard (Logstashboard?!) that refers to this task.

Thanks! That's very helpful.

Given T283881#7152241, I'm inclined to either lower the priority of this task to Lowest or decline this task.

I wouldn't decline it, since it's helpful to have an open task for reference and discussion even if we are unlikely to ever fix the bug.

Regardless, I'm moving this off of Readers Web's kanban board.

Yes, that makes sense. Since the actual problem seems to be with mw.user.sessionId, the primary responsibility lies with Product-Data-Infrastructure (although, of course, they may not prioritize it).

nshahquinn-wmf renamed this task from A few events in the UniversalLanguageSelector data stream failing validation because web_session_id is too short to mw.user.sessionId sometimes returns IDs with 16 characters rather than 20.Jun 22 2021, 4:15 PM
Jdlrobson moved this task from Untriaged to Untag on the Web-Team-Backlog (Tracking) board.Sep 21 2021, 8:34 PM
Jdlrobson removed a project: Web-Team-Backlog (Tracking).Dec 7 2021, 7:46 PM
cjming mentioned this in T297521: eventgate_validation_error: '.web_session_id' should NOT be shorter than 20 characters.Mar 25 2022, 7:23 PM
Jdlrobson merged a task: T297521: eventgate_validation_error: '.web_session_id' should NOT be shorter than 20 characters.Mar 25 2022, 9:53 PM
Jdlrobson added subscribers: cjming, odimitrijevic, Aklapper.
Krinkle subscribed.Mar 25 2022, 9:59 PM
phuedx mentioned this in T336078: EventGate Validation error: `session_id` wrong length (multiple schemas).Jul 5 2023, 3:01 PM
matmarex merged a task: T336078: EventGate Validation error: `session_id` wrong length (multiple schemas).Jul 5 2023, 3:03 PM
matmarex added subscribers: Jdrewniak, matmarex.
matmarex added a comment.Jul 5 2023, 3:20 PM

I didn't know that the faulty values are coming from mw.user.sessionId(). But now that I do, the problem looks clear: it reads the value from the 'mwuser-sessionId' cookie, which is controlled by the user and could be anything.

In fact, we used to save 16-character values into that cookie prior to rMW29c803227f0d: mediawiki.user: Increase entropy of random token generator. That was in 2018, so it's a little bit surprising that a session cookie would persist that long, but only a little bit.

The method should validate the cookie value before using it if anything is going to depend on it being exactly 20 characters.

phuedx added a comment.EditedJul 5 2023, 3:26 PM
In T283881#8991016, @matmarex wrote:

In fact, we used to save 16-character values into that cookie prior to rMW29c803227f0d: mediawiki.user: Increase entropy of random token generator. That was in 2018, so it's a little bit surprising that a session cookie would persist that long, but only a little bit.

Amazing! We noted that this behaviour (session IDs persisting for a long time) could happen over on https://wikitech.wikimedia.org/wiki/Analytics/Sessions#Web but I didn't connect the proverbial dots…

gerritbot added a comment.Jul 5 2023, 3:28 PM

Change 935767 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] mw.user: Validate the cookie in sessionId() before returning

https://gerrit.wikimedia.org/r/935767

gerritbot added a project: Patch-For-Review.Jul 5 2023, 3:28 PM
matmarex claimed this task.Jul 5 2023, 3:29 PM
gerritbot added a comment.Jul 16 2023, 9:27 AM

Change 935767 merged by jenkins-bot:

[mediawiki/core@master] mediawiki.user: Validate the cookie in sessionId() before returning

https://gerrit.wikimedia.org/r/935767

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.18; 2023-07-18).Jul 16 2023, 10:00 AM
phuedx added a comment.Jul 17 2023, 8:37 AM

I'll keep an eye on the error rate and, once it's declined sufficiently, I'll update https://wikitech.wikimedia.org/wiki/Analytics/Sessions#Web and close this task as Resolved.

phuedx closed this task as Resolved.Jul 27 2023, 4:12 PM

Screenshot 2023-07-27 at 17.09.10.png (2×3 px, 1 MB)

Note that the other streams that were affected by this also show the same sharp decrease in these kinds of validation errors.

Thanks to @matmarex for the catch and the patch and @Krinkle for merging the patch.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL