Page MenuHomePhabricator
Create Task
Maniphest T398814

WE5.1.1 Session storage protection
Closed, ResolvedPublic
Actions

Description

Hypothesis

If we use different storage backends for authenticated and anonymous sessions, we will be able to protect Sessionstore from DDoS attacks and high-volume scrapers, by not overloading it with the anonymous sessions that are created to provide CSRF prevention on authentication pages.

Context

We are seeing an increased load on Sessionstore from a combination of high-volume scraping and targeted attacks on our user account pages. Whilst we have been able to mitigate this in the short term by increasing the resources available to Sessionstore and reducing the number of writes to sessions, this is not sustainable mid- to long-term. We want to explore alternative options for session storage, including whether anonymous sessions used for CSRF protection can be stored entirely client-side.

Target outcomes

  • Reduced load on Sessionstore: Reduce the volume of requests to Sessionstore from new account and login pages, with an overall decrease in storage requirements.
  • Improved resilience to scraping and DDoS: Better protect our core authentication and session storage infrastructure from high-volume scraping and targeted attacks.
  • Better separation of different kinds of sessions: Provide clearer and more flexible options for managing the resources used by different sessions types.

Success criteria

  • All anonymous sessions migrated to new session storage management
  • All authenticated sessions migrated to new session storage management
  • Logged-in users better protected from session failure caused by scraping
  • Reduction in growth and overall resource usage for session storage
  • No regressions in CSRF or other session security protections

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJTweed-WMFT398814 WE5.1.1 Session storage protection
 ResolvedJTweed-WMFT400365 Support multiple session stores
 ResolvedDAlangi_WMFT394075 Investigate using different stores for different kinds of sessions
 ResolvedmatmarexT265400 Research to create service for SessionManager::singleton()/getGlobalSession()
 ResolvedDAlangi_WMFT399192 Create new session store abstraction to replace BagOStuff in SessionManager
 ResolvedDAlangi_WMFT399195 Update logging and monitoring for multiple session storage backends
 ResolvedmatmarexT362324 Disable PHPSessionHandler in Wikimedia production
 ResolvedTgrT124371 Clean up usage of $_SESSION in WMF-deployed extensions
 ResolvedFlorianT132251 CentralNotice shouldn't use wfSetupSession() anymore
 ResolvedPRODUCTION ERRORpmiazgaT162910 Update Collection not to use deprecated wfSetupSession call
 ResolvedPRODUCTION ERRORJdforrester-WMFT186339 Update SecurePoll not to use deprecated wfSetupSession call
 ResolvedPRODUCTION ERRORTgrT393963 PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)]
 ResolvedHokwelumT400667 Make all SessionManager tests pass with PHPSessionHandler disabled
 ResolvedmatmarexT400668 Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production
 ResolvedmatmarexT402602 Storing objects in session data causes unnecessary session writes, and emits spurious warnings with $wgPHPSessionHandling = 'warn'
 ResolvedmatmarexT403519 Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token.
 ResolvedJTweed-WMFT400372 Separate storage backend for anonymous sessions
 ResolvedDAlangi_WMFT399193 Investigate anonymous to authenticated session transitions
 ResolvedDAlangi_WMFT399194 Implement different backends for anonymous and authenticated sessions
 DeclinedJTweed-WMFT394076 Investigate storing anonymous sessions client-side
 ResolvedDAlangi_WMFT402808 Deploy separate anonymous session backend to Wikimedia production, in log-only mode
 ResolvedDAlangi_WMFT405824 Develop Grafana dashboard for MediaWiki session store sessions
 ResolvedPRODUCTION ERRORDAlangi_WMFT405633 Session data is authenticated, should not be an anonymous user
 ResolvedPRODUCTION ERRORDAlangi_WMFT405634 Authenticated data should not be in the anonymous store
 ResolvedPRODUCTION ERRORDAlangi_WMFT406560 Anonymous data should not be in the authenticated store
 ResolvedTgrT402850 Decide on anonymous session backend
 OpenNoneT402853 Deploy separate anonymous session backend to Wikimedia production
 ResolvedHokwelumT400249 SessionBackend should save sessions at the end of the request (and only there)
 ResolvedDAlangi_WMFT407145 Monitor read-only MultiBackend session store (post-deployment to all wikis)

Event Timeline

JTweed-WMF created this task.Jul 7 2025, 11:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2025, 11:50 AM
JTweed-WMF updated the task description. (Show Details)Jul 7 2025, 11:51 AM
JTweed-WMF claimed this task.Jul 7 2025, 11:59 AM
Tgr subscribed.Jul 7 2025, 12:01 PM
JTweed-WMF edited projects, added FY2025-26 KR 5.1; removed MediaWiki-Platform-Team (FY25-26 KR 5.1).Jul 7 2025, 1:32 PM
JTweed-WMF added a subtask: T394075: Investigate using different stores for different kinds of sessions.Jul 10 2025, 1:27 PM
JTweed-WMF added a subtask: T394076: Investigate storing anonymous sessions client-side.Jul 10 2025, 1:37 PM
JTweed-WMF moved this task from Inbox to WE5.1.1 on the FY2025-26 KR 5.1 board.Jul 10 2025, 1:42 PM
JTweed-WMF added a subtask: T400365: Support multiple session stores.Jul 24 2025, 2:20 PM
JTweed-WMF removed a subtask: T394075: Investigate using different stores for different kinds of sessions.
JTweed-WMF removed a subtask: T399192: Create new session store abstraction to replace BagOStuff in SessionManager.Jul 24 2025, 2:38 PM
JTweed-WMF removed a subtask: T399195: Update logging and monitoring for multiple session storage backends.
JTweed-WMF removed a subtask: T399193: Investigate anonymous to authenticated session transitions.Jul 24 2025, 2:59 PM
JTweed-WMF removed a subtask: T399194: Implement different backends for anonymous and authenticated sessions.
JTweed-WMF removed a subtask: T394076: Investigate storing anonymous sessions client-side.
JTweed-WMF added a subtask: T400372: Separate storage backend for anonymous sessions.Jul 24 2025, 3:01 PM
JTweed-WMF added a subtask: T400249: SessionBackend should save sessions at the end of the request (and only there).Jul 28 2025, 2:54 PM
matmarex closed subtask T400249: SessionBackend should save sessions at the end of the request (and only there) as Resolved.Aug 11 2025, 11:04 PM
Tgr mentioned this in T404691: RenderTranslationPageJob: Sessions can only be imported when none is active..Sep 23 2025, 5:31 PM
DAlangi_WMF closed subtask T407145: Monitor read-only MultiBackend session store (post-deployment to all wikis) as Resolved.Oct 17 2025, 7:45 PM
JTweed-WMF closed subtask T400365: Support multiple session stores as Resolved.Fri, Nov 21, 11:28 AM
JTweed-WMF closed this task as Resolved.Fri, Nov 21, 11:30 AM
JTweed-WMF closed subtask T400372: Separate storage backend for anonymous sessions as Resolved.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits