Page MenuHomePhabricator
Create Task
Maniphest T406621

Session cookie JWTs of SUL and non-SUL wikis conflict
Closed, ResolvedPublic
Actions

Description

To make it easy to interact with session cookies in non-MediaWiki infrastructure (where mapping between domain names and wiki IDs is not trivial), we use the same cookie name (sessionJwt) for all JWT cookies, regardless of the wiki. For CentralAuth wikis, we use the CentralAuth cookie settings (e.g. enwiki sets the cookie on .wikipedia.org). But that means JWTs for CentralAuth wikis and non-CentralAuth wikis (e.g. en.wikipedia.org and en-arbcom.wikipedia.org) conflict, causing session loss.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
jwt: Use core cookie settingsmediawiki/extensions/CentralAuthwmf/1.45.0-wmf.22+1 -5
jwt: Use core cookie settingsmediawiki/extensions/CentralAuthwmf/1.45.0-wmf.21+1 -5
jwt: Use core cookie settingsmediawiki/extensions/CentralAuthmaster+1 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Oct 7 2025, 4:47 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptOct 7 2025, 4:47 PM
Restricted Application added subscribers: ZhaoFJx, Aklapper. · View Herald Transcript
Tgr mentioned this in T399631: Deploy JWT cookies to production.Oct 7 2025, 4:48 PM
Tgr added a parent task: T399631: Deploy JWT cookies to production.
Tgr added a comment.Oct 7 2025, 6:10 PM

I can think of three options:

  • Prefix all non-CentralAuth JWT cookies by wiki name (ie. use the standard MediaWiki cookie prefix in CookieSessionProvider, and only override it in CentralAuthSessionProvider).
  • Use sessionJwt for CentralAuth wikis, __Host-sessionJwt on non-CentralAuth wikis so the parent-domain cookie gets ignored.
  • Never use the parent domain for JWT cookies.

Given the SRE preference for a single deterministic cookie name, the third option is clearly superior. (Two cookie names would be maybe not that bad but it might still cause issues on old browsers that don't understand the __Host- prefix.) We didn't really need the shared JWT cookies for anything, so I don't think there's any drawback. There will be slightly more cookies per eTLD+1 domain, but we haven't had any issues related to total cookie count for a long time.

The JWT cookies will still be shared on auth.wikimedia.org. That's fine since that's only used by SUL wikis so the cookie values don't conflict.

gerritbot added a comment.Oct 7 2025, 6:15 PM

Change #1194265 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194265

gerritbot added a project: Patch-For-Review.Oct 7 2025, 6:15 PM
Tgr claimed this task.Oct 7 2025, 7:29 PM
Tgr moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
gerritbot added a comment.Oct 8 2025, 11:24 AM

Change #1194265 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194265

Maintenance_bot removed a project: Patch-For-Review.Oct 8 2025, 11:36 AM
gerritbot added a comment.Oct 8 2025, 11:48 AM

Change #1194603 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.21] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194603

gerritbot added a project: Patch-For-Review.Oct 8 2025, 11:48 AM

Change #1194604 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.22] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194604

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 8 2025, 12:00 PM
gerritbot added a comment.Oct 8 2025, 1:15 PM

Change #1194603 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.21] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194603

gerritbot added a comment.Oct 8 2025, 1:15 PM

Change #1194604 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.22] jwt: Use core cookie settings

https://gerrit.wikimedia.org/r/1194604

Maintenance_bot removed a project: Patch-For-Review.Oct 8 2025, 1:31 PM
Stashbot added a comment.Oct 8 2025, 1:56 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-08T13:56:11Z] <lucaswerkmeister-wmde@deploy2002> Started scap sync-world: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)]]

Stashbot mentioned this in T401773: Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered.Oct 8 2025, 1:56 PM
ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.22; 2025-10-07); removed MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 8 2025, 2:00 PM
Stashbot added a comment.Oct 8 2025, 2:01 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-08T14:01:12Z] <lucaswerkmeister-wmde@deploy2002> d3r1ck01, lucaswerkmeister-wmde, reedy, tgr: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)

Stashbot added a comment.Oct 8 2025, 2:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-08T14:10:11Z] <lucaswerkmeister-wmde@deploy2002> Finished scap sync-world: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)]] (duration: 14m 0

Tgr closed this task as Resolved.Oct 13 2025, 10:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits