In T362331#10023547, @Joe wrote:

If we start [using Memched for sessions], we either:

a) Make the lives of SREs hell because they can't restart memcached without a lot of pre-configuring and syncing, and this would still not guarantee data consistency
b) Cause unexpected behaviour, race conditions and all kinds of UX problems

[…]

For what its worth, I did consider operational flexibility, but perhaps insufficiently. From the proposal:

From the task description § Proposal 1:

We expect […] 3 hosts per DC […]. The memcache instances have to be redundant for data within DCs, so in case of failover/switch we do not lose users session data. Hence mcrouter would best-effort write the same data to all three hosts.

We should not reuse the main memcache cluster because […] unrelated LRU pressure.

These instances are separate from main memcached cluster. The longest duration of any session store key is 24 hours. This is because it's not really used as a session store. It is a mostly vacant dataset, where the keys serve to reserve that a session ID exists and is valid, with the data array being effectively empty, apart from a lazy-initialized CSRF token seed (which we could derive in other ways), and beyond that a space for short-lived temporary data to carry between two consecutive HTTP requests. The "real" session store is the user_token column in the MySQL database, i.e. this powers "Remember me" and any multi-day session.

With a time window that short, we can tolerate restarts/loss of 2/3 hosts in a given 24 hour window. The third would be fine to lose/restart 24h after that, as by then the other two will have built up sessions still valid. Those using "Remember me" would be unaffected even after a 3/3 loss.

In any event, I'm happy to withdraw this proposal given the current situation is acceptable/preferred by SRE. The intent is to reduce the need for additional expertise and operations of the rarely-used Cassandra data store (after MySQL/Memcached), for a use case that hold very little data, and imho doesn't have enough unique needs to justify it. For FY23-25, we did not prioritize this proposal. I'll decline the subtasks specific to the above proposal, and leave this open for future exploration/simplification, possibly in FY25-26.

While not in-scope of this task, I would suggest pursuing the following if we're sticking with Kask/Cassandra for sessions:

• Kask service ownership. Kask is currently unassigned on mw:Maintainers. Last commits in Gerrit were by Eric (now SRE/DBA) and Giuseppe and Alex (SRE/ServiceOps). The repo appears to have moved from there to an unspecified location in GitLab (not indexed by Codesearch, not linked form mw:Maintainers, SessionStorage docs on Wikitech, or Kask docs on mediawiki.org).
• Cassandra storage amplification. The current 1:100 ratio seems unsustainable (>100GB disk space required per <1G of data, per T313496#8096630)

As a future proposal, if we implement Cassandra support directly, it would:

• address the issue that RESTBagOStuff is an incomplete/non-compliant BagOStuff implementation (by removing it),
• address the footgun that TTL is ignored and needs to be duplicated outside MediaWiki in the Kask helmchart,
• address the Kask serivce ownership question (by removing it),
• make it easy to adopt the CassandraBagOStuff for MainStash or ParserCache in the future. Note that there is afaik no current demand from DBAs for this, for ParserCache after T373037: Make ParserCache more like a ring, nor MainStash after T383327: Re-architecture mainstash (x2) to allow easier maintenance .