Page MenuHomePhabricator
Create Task
Maniphest T398815

WE5.1.2 Verifiable MediaWiki sessions
Open, Needs TriagePublic
Actions

Description

Hypothesis

If we change MediaWiki session cookies to a structured format with a cryptographic signature, we will be able to use the presence of a session as a factor in protection against scrapers, by enabling trusted verification of sessions at the edge in a performant and highly scalable manner.

Context

Currently the only way to verify that a session token has been generated by MediaWiki is to ask MediaWiki to validate the session. By making sessions verifiable outside of MediaWiki, we will be able to use the presence of a valid session as a signal in abuse detection at the edge, without adding performance bottlenecks. We can then reuse this same approach to implement MediaWiki authentication in the new API Gateway to enable access to higher rate limits for authenticated users.

Target outcomes

  • Edge-verifiable sessions: Session cookies can be efficiently used as a signal in browser-detection at the edge, to help differentiate scrapers from human users.
  • API Gateway-verifiable sessions: Session cookies can be efficiently used as an authentication mechanism by the API Gateway to access higher rate limits.
  • Minimal reliance on MediaWiki: Session verification can be performed without having to rely on MediaWiki, reducing backend load and improving request performance.
  • No changes to user experience: No visible impact to end-users, with seamless migration of existing sessions to the new format.

Success criteria

  • New session format that can be verified outside of MediaWiki
  • MediaWiki sessions able to be used as an abuse signal at the edge
  • No performance regressions in existing use of sessions
  • Existing user sessions migrated to new session format
  • All user login migrated to use new session format

Related Objects
Search...

Event Timeline

JTweed-WMF created this task.Jul 7 2025, 11:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2025, 11:53 AM
JTweed-WMF claimed this task.Jul 7 2025, 11:59 AM
Tgr subscribed.Jul 7 2025, 12:01 PM
JTweed-WMF edited projects, added FY2025-26 KR 5.1; removed MediaWiki-Platform-Team (FY25-26 KR 5.1).Jul 7 2025, 1:33 PM
JTweed-WMF moved this task from Inbox to WE5.1.1 on the FY2025-26 KR 5.1 board.Jul 10 2025, 1:43 PM
JTweed-WMF added a subtask: T394012: Decide how to expose session information outside of MediaWiki.Jul 10 2025, 1:47 PM
Tgr mentioned this in T399198: Define standard JWT session data for supported session types.Jul 10 2025, 8:18 PM
Tgr added a subtask: T399243: Support JWT generation for session tokens in MediaWiki core.Jul 10 2025, 8:49 PM
Tgr closed subtask T394012: Decide how to expose session information outside of MediaWiki as Resolved.Jul 15 2025, 1:25 AM
Tgr added a subtask: T399631: Deploy JWT cookies to production.Jul 15 2025, 8:29 PM
Tgr added a subtask: T399632: Add a rate limiting class to session JWTs.Jul 15 2025, 8:33 PM
Joe mentioned this in T400238: Add ability to validate JWTs in haproxy.Jul 23 2025, 1:56 PM
JTweed-WMF moved this task from WE5.1.1 to WE5.1.2 on the FY2025-26 KR 5.1 board.Jul 24 2025, 8:58 AM
Tgr closed subtask T399198: Define standard JWT session data for supported session types as Resolved.Aug 19 2025, 2:35 PM
Tgr closed subtask T399243: Support JWT generation for session tokens in MediaWiki core as Resolved.Sep 1 2025, 9:44 PM
Tgr closed subtask T399200: Update existing cookie-based sessions to include JWT cookie as Resolved.Sep 16 2025, 3:00 PM
dr0ptp4kt subscribed.Sep 16 2025, 6:21 PM
Tgr mentioned this in T404691: RenderTranslationPageJob: Sessions can only be imported when none is active..Sep 23 2025, 5:31 PM
matmarex added a subtask: T403424: Release wikimedia/timestamp v5.0.0 and update dependency in MediaWiki.Sep 25 2025, 1:08 AM
matmarex edited subtasks, added: T405541: Replace MediaWiki\Json\ClockAdapter; removed: T403424: Release wikimedia/timestamp v5.0.0 and update dependency in MediaWiki.
daniel mentioned this in T405578: api-gateway helm chart: use JWT to determine rate limit for rest routes.Sep 25 2025, 12:00 PM
Joe mentioned this in T406545: FY 25/26 WE 5.4.5: Enforce global rate-limits.Oct 7 2025, 6:13 AM
Joe mentioned this in T407092: Exclude logged in users from requestctl general filters, create separate scope for it..Oct 13 2025, 6:22 AM
Tgr mentioned this in T407987: Define best practice for single-user apps which need a high MediaWiki API rate limit.Oct 22 2025, 2:44 PM
Tgr closed subtask T399199: Update OAuth 2.0 sessions to include new JWT session data from core as Resolved.Wed, Nov 19, 3:23 PM
JTweed-WMF closed subtask T399201: Provide support for implementing session verification at the edge as Resolved.Fri, Nov 21, 11:46 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits