Page MenuHomePhabricator
Create Task
Maniphest T394076

Investigate storing anonymous sessions client-side
Closed, DeclinedPublic
Actions

Description

We might want to explore session store implementations which do not put load on our infrastructure (see T394075: Investigate using different stores for different kinds of sessions for motivation). The ultimate version of this is not using our infrastructure at all, and storing the session on the client side. We probably don't want to do this for security-sensitive data (we don't want the security of our session encryption scheme and key management to be the only things preventing an attacker from impersonating any other account by just changing the username in the session data), but for anonymous sessions it might be fine.

Some potential complications:

  • Sessions can be large. AuthManager puts a fair amount of data in the session. Special:Book can put an arbitrarily large amount of data in the session.
  • Especially during login, we do store security-sensitive information in the session; an attacker manipulating that would be functionally equivalent to being able to manipulate the username in an authenticated session. So the exact scope of what sessions to use this for might be somewhat different from "unathenticated". Or maybe we might want to use a scheme where some data is stored in the cookie but it can have a pointer to further data in the session store. (We already have Session::setSecret(), that might be a reasonable way of differentiating.)
  • Using cookies as storage limits what code can write to the session (e.g. jobs or post-send deferred can't). That would break some use cases like storing upload progress in the session, although probably those use cases are not relevant for anonymous users.
  • Race conditions and similar problems will get worse as time between MediaWiki code issuing a session write and the session store (browser) actually receiving it goes up by a magnitude.

Related Objects
Search...

Event Timeline

Tgr created this task.May 13 2025, 5:14 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMay 13 2025, 5:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr mentioned this in T394075: Investigate using different stores for different kinds of sessions.May 13 2025, 5:15 PM
Tgr added a subtask: T394075: Investigate using different stores for different kinds of sessions.
Tgr updated the task description. (Show Details)May 13 2025, 5:19 PM
Bugreporter subscribed.May 14 2025, 7:43 AM

Stateless web frameworks such as Flask and Play Framework store everything locally in Cookies. However in Wikimedia wikis, I doubt how many anonymous sessions is active (comparing with logged-in and temporary accounts), and if the number is small, it may not worth doing. In addition, how is anonymous sessions currently used - some feature can be rewritten with cookie only without using session store.

Tgr mentioned this in T394012: Decide how to expose session information outside of MediaWiki.May 15 2025, 6:24 PM
Krinkle moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.May 19 2025, 2:33 PM
Tgr mentioned this in T390784: Error when logging-in on auth.wikimedia.org: "The provided authentication token is either expired or invalid.".Jun 15 2025, 10:39 AM
JTweed-WMF removed a subtask: T394075: Investigate using different stores for different kinds of sessions.Jul 10 2025, 1:27 PM
JTweed-WMF added a parent task: T398814: WE5.1.1 Session storage protection.Jul 10 2025, 1:37 PM
JTweed-WMF added projects: Epic, OKR-Work.
JTweed-WMF added a project: FY2025-26 KR 5.1.
JTweed-WMF moved this task from Inbox to WE5.1.1 on the FY2025-26 KR 5.1 board.Jul 10 2025, 1:42 PM
Tgr added a comment.Jul 10 2025, 7:21 PM

This is phrased non-committally ("investigate" rather than "do") because I'm somewhat skeptical it will be feasible. If we end up doing it, we'll want some subtasks though (probably around analytics / deployment, maybe performance) - this would be a significant change.

In T394076#10820422, @Bugreporter wrote:

However in Wikimedia wikis, I doubt how many anonymous sessions is active (comparing with logged-in and temporary accounts)

About two thirds of session writes are anonymous (per this dashboard).

In addition, how is anonymous sessions currently used

Mostly CSRF and login/signup state.

JTweed-WMF edited parent tasks, added: T400372: Separate storage backend for anonymous sessions; removed: T398814: WE5.1.1 Session storage protection.Jul 24 2025, 3:00 PM
JTweed-WMF removed projects: FY2025-26 KR 5.1, Epic.
Tgr added a comment.Aug 25 2025, 4:42 PM

I think this should be a top-level epic for 5.1.1: it's fairly large (investigating not so much, but if we end up actually doing it, that is going to take some effort), it's not part of the commitment we made about providing a separate backend for anonymous sessions (it's more like a "backendless" mode), it will need its own QA and deploy process which won't have any overlap with the one for a separate anonymous backend.

Tgr mentioned this in T402850: Decide on anonymous session backend.Aug 25 2025, 7:29 PM
JTweed-WMF moved this task from Needs refinement to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Aug 28 2025, 2:42 PM
JTweed-WMF closed this task as Resolved.Nov 21 2025, 11:30 AM
JTweed-WMF claimed this task.
JTweed-WMF subscribed.

As @Tgr notes this ticket was an investigation and I think we've decided not to do this, so closing as resolved.

Tgr changed the task status from Resolved to Declined.Nov 24 2025, 10:43 AM

Just to clarify, we didn't investigate whether client-side session storage is possible (we decided that with T400372: Separate storage backend for anonymous sessions done, there is no pressing reason for now so even if we found client-side storage is technically feasible, we probably wouldn't invest into building it, making the investigation pointless).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits