Depends on T399198: Define standard JWT session data for supported session types and T399243: Support JWT generation for session tokens in MediaWiki core and on the pending decision in T394012#10980179. Removing existing cookies is out of scope for now, we'll duplicate some information. Consistency between cookies will be enforced though.
We'll put it behind a configuration flag as it's not relevant to most MediaWiki installations and adds extra bytes to every request.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | JTweed-WMF | T398815 WE5.1.2 Verifiable MediaWiki sessions | |||
| Resolved | Tgr | T399200 Update existing cookie-based sessions to include JWT cookie |
Change #1171202 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] [WIP] Use a JWT cookie in CookieSessionProvider
Change #1176315 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/CentralAuth@master] [WIP] Support JWT session cookies in CentralAuth
Change #1171202 merged by jenkins-bot:
[mediawiki/core@master] Use a JWT cookie in CookieSessionProvider
Change #1176315 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Support JWT session cookies in CentralAuth
The patches use the standard session cookie expiration time, but on second thought it makes the deployment much safer if we use a short expiry (something like an hour) since we can just wait a bit to get rid of all cookies with erroneous values if something was wrong with the first version of the code. And in the long term we want to do something like that anyway, since JWTs with a long expiry could be abusable. So I'll make a follow-up patch for that.
It looks like the changes to the constructor cause problems for plugins like Auth_remoteuser. Is there a migration guide on how we're supposed to correctly implement these changes? Or would you be willing to help @thiemowmde fix https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Auth_remoteuser/+/1185481 ?
Sorry, I don't know much about the changes that happened in the CookieSessionProvider core class(es). I can see that it's not marked as stable. Extending such a class in an extension is something people would do mostly at their own risk.
However, I tried something in https://gerrit.wikimedia.org/r/1185481. This might or might not be the correct way to solve this. The patch is especially not compatible with older MediaWiki versions any more.
The Set-Cookie header is emitted multiple times, which results in a bloated response as its around 700 bytes per cookie (on Vagrant, nginx actually dies with upstream sent too big header while reading response header from upstream for temp user creation which outputs the Set-Cookie header a whopping five times).
Emitting cookies many times per request is a known problem with SessionManager. It's usually not an issue because WebResponse deduplicates cookies, but JWTs are nondeterministic.
Change #1187433 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] session: Cache JWT JTI in CookieSessionProvider
Change #1185305 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] Use short expiry for JWT cookies
Change #1188321 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] session: Add a mechanism for forcing a refresh
Change #1187433 merged by jenkins-bot:
[mediawiki/core@master] session: Cache JWT JTI in CookieSessionProvider
Change #1188420 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@wmf/1.45.0-wmf.18] session: Cache JWT JTI in CookieSessionProvider
Change #1188420 merged by jenkins-bot:
[mediawiki/core@wmf/1.45.0-wmf.18] session: Cache JWT JTI in CookieSessionProvider
Mentioned in SAL (#wikimedia-operations) [2025-09-15T20:49:56Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]]
Mentioned in SAL (#wikimedia-operations) [2025-09-15T20:56:19Z] <tgr@deploy1003> tgr: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.
Mentioned in SAL (#wikimedia-operations) [2025-09-15T21:07:19Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]] (duration: 17m 23s)
Change #1188321 merged by jenkins-bot:
[mediawiki/core@master] session: Add a mechanism for forcing a refresh
Change #1185305 merged by jenkins-bot:
[mediawiki/core@master] Use short expiry for JWT cookies
Change #1188475 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/CentralAuth@master] tests: Update for SessionCookieJwtExpiration added in core
Change #1188475 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] tests: Update for SessionCookieJwtExpiration added in core
Change #1188479 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/CentralAuth@master] tests: Update for SessionCookieJwtExpiration added in core (follow-up)
Change #1188716 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@wmf/1.45.0-wmf.18] session: Add a mechanism for forcing a refresh
Change #1188717 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@wmf/1.45.0-wmf.18] Use short expiry for JWT cookies
Change #1188718 had a related patch set uploaded (by Gergő Tisza; author: Bartosz Dziewoński):
[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.18] tests: Update for SessionCookieJwtExpiration added in core
Change #1188479 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] tests: Update for SessionCookieJwtExpiration added in core (follow-up)
Change #1188716 merged by jenkins-bot:
[mediawiki/core@wmf/1.45.0-wmf.18] session: Add a mechanism for forcing a refresh
Change #1188717 merged by jenkins-bot:
[mediawiki/core@wmf/1.45.0-wmf.18] Use short expiry for JWT cookies
Change #1188718 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.18] tests: Update for SessionCookieJwtExpiration added in core
Mentioned in SAL (#wikimedia-operations) [2025-09-16T13:29:43Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1188715|User: Simplify makeUpdateConditions() (T401748)]], [[gerrit:1188716|session: Add a mechanism for forcing a refresh (T399200)]], [[gerrit:1188717|Use short expiry for JWT cookies (T399200)]], [[gerrit:1188718|tests: Update for SessionCookieJwtExpiration added in core (T399200 T404667)]], [[gerrit:1188765|xLab: Fix instrument to produce valid events
Mentioned in SAL (#wikimedia-operations) [2025-09-16T13:35:39Z] <tgr@deploy1003> hueitan, tgr: Backport for [[gerrit:1188715|User: Simplify makeUpdateConditions() (T401748)]], [[gerrit:1188716|session: Add a mechanism for forcing a refresh (T399200)]], [[gerrit:1188717|Use short expiry for JWT cookies (T399200)]], [[gerrit:1188718|tests: Update for SessionCookieJwtExpiration added in core (T399200 T404667)]], [[gerrit:1188765|xLab: Fix instrument to produce valid events (T404420)]]
Mentioned in SAL (#wikimedia-operations) [2025-09-16T13:48:33Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1188715|User: Simplify makeUpdateConditions() (T401748)]], [[gerrit:1188716|session: Add a mechanism for forcing a refresh (T399200)]], [[gerrit:1188717|Use short expiry for JWT cookies (T399200)]], [[gerrit:1188718|tests: Update for SessionCookieJwtExpiration added in core (T399200 T404667)]], [[gerrit:1188765|xLab: Fix instrument to produce valid events
Change #1190624 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] session: Fix date handling for JWT cookies
Change #1190624 merged by jenkins-bot:
[mediawiki/core@master] session: Fix date handling for JWT cookies
Change #1190712 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@wmf/1.45.0-wmf.19] session: Fix date handling for JWT cookies
Change #1190713 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@wmf/1.45.0-wmf.20] session: Fix date handling for JWT cookies
Change #1190712 merged by jenkins-bot:
[mediawiki/core@wmf/1.45.0-wmf.19] session: Fix date handling for JWT cookies
Change #1190713 merged by jenkins-bot:
[mediawiki/core@wmf/1.45.0-wmf.20] session: Fix date handling for JWT cookies
Mentioned in SAL (#wikimedia-operations) [2025-09-23T20:28:24Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1190712|session: Fix date handling for JWT cookies (T399243 T399200)]], [[gerrit:1190713|session: Fix date handling for JWT cookies (T399243 T399200)]]
Mentioned in SAL (#wikimedia-operations) [2025-09-23T20:55:42Z] <tgr@deploy1003> tgr: Backport for [[gerrit:1190712|session: Fix date handling for JWT cookies (T399243 T399200)]], [[gerrit:1190713|session: Fix date handling for JWT cookies (T399243 T399200)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.
Mentioned in SAL (#wikimedia-operations) [2025-09-23T21:10:09Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1190712|session: Fix date handling for JWT cookies (T399243 T399200)]], [[gerrit:1190713|session: Fix date handling for JWT cookies (T399243 T399200)]] (duration: 41m 51s)