Page MenuHomePhabricator
Create Task
Maniphest T409018

JWT cookie causing anonymous session writes
Closed, ResolvedPublic
Actions

Description

The session writes dashboard shows a big increase in manual-forced writes for anonymous sessions:

Screenshot Capture - 2025-11-02 - 22-55-16.png (1,887×740 px, 133 KB)

That corresponds to the needsRefresh flag in SessionInfo, which is only used for updating JWT cookies. rMWf78fb6eb599a: session: Do not set JWT cookies for anonymous users was supposed to disable JWTs for anons and avoid that noise, but apparently something went wrong with that.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Do not refresh anonymous sessions due to missing JWTsmediawiki/coremaster+4 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Nov 2 2025, 9:58 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 2 2025, 9:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a parent task: T399631: Deploy JWT cookies to production.Nov 2 2025, 9:59 PM
OWresch-WMF moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Nov 3 2025, 3:44 PM
OWresch-WMF assigned this task to Tgr.Nov 3 2025, 3:51 PM
gerritbot added a comment.Nov 21 2025, 12:34 AM

Change #1208055 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Do not refresh anonymous sessions due to missing JWTs

https://gerrit.wikimedia.org/r/1208055

gerritbot added a project: Patch-For-Review.Nov 21 2025, 12:34 AM
OWresch-WMF edited projects, added: MediaWiki-Platform-Team (Kanban Board); removed: MediaWiki-Platform-Team.Nov 21 2025, 11:44 AM
OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Kanban Board) board.
gerritbot added a comment.Nov 25 2025, 8:46 AM

Change #1208055 merged by jenkins-bot:

[mediawiki/core@master] Do not refresh anonymous sessions due to missing JWTs

https://gerrit.wikimedia.org/r/1208055

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.5; 2025-12-02).Nov 25 2025, 9:00 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 25 2025, 9:31 AM
OWresch-WMF moved this task from In Progress to To be verified in Prod on the MediaWiki-Platform-Team (Kanban Board) board.Nov 27 2025, 3:10 PM
Tgr added a comment.Dec 12 2025, 5:27 PM

The manual-forced writes are gone as expected, but the total writes are still pretty high. Not sure what to think about it.

Screenshot Capture - 2025-12-12 - 17-23-19.png (1,887×635 px, 94 KB)

Tgr added a comment.Dec 12 2025, 5:29 PM

Actually not entirely expected - I think there should still be a small trickle of manual-forced writes from JWT cookie expiries for logged-in users, just much less than before? But we have zero now.

JTweed-WMF subscribed.Jan 9 2026, 11:53 AM

Do we still have concerns here or have we determined that this is expected?

Tgr closed this task as Resolved.Jan 23 2026, 10:01 PM

No idea what was going on between 12-05 and 12-07 but we are now back to the old 20M/day-ish level of writes.

Screenshot Capture - 2026-01-23 - 23-01-02.png (1,898×594 px, 122 KB)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits