Change Details

**Problem** Sessions are stored on the server in MediaWiki. This means that the state of user's logged in status must be stored in a centralized location. By default, MediaWiki stores sessions in the [[ https://www.mediawiki.org/wiki/Manual:$wgSessionCacheType | object storage ]]. **Proposed Solution** When a user logs in, a cookie could be set that contains a [[ https://jwt.io/ | JWT ]]. This token would contain a verified claim of the user's logged in status. This allows the session to be transfered from the client to the server on each request and prevents the server from storing the state of the user's logged-in state. This makes authorization //stateless//. MediaWiki would still be able to use the existing features like "Keep me logged in." Perhaps a session handler like [[ https://github.com/byjg/jwt-session | byjg/jwt-session ]] could be used.

**Problem** Sessions are stored on the server in MediaWiki. This means that the state of user's logged in status must be stored in a centralized location. By default, MediaWiki stores sessions in the [[ https://www.mediawiki.org/wiki/Manual:$wgSessionCacheType | object storage ]]. **Proposed Solution** When a user logs in, a cookie could be set that contains a [[ https://jwt.io/ | JWT ]]. This token would contain a verified claim of the user's logged in status. This allows the session to be transfered from the client to the server on each request and prevents the server from storing the state of the user's logged-in state. This makes authorization //stateless//. MediaWiki would still be able to use the existing features like "Keep me logged in."

**Problem** Sessions are stored on the server in MediaWiki. This means that the state of user's logged in status must be stored in a centralized location. By default, MediaWiki stores sessions in the [[ https://www.mediawiki.org/wiki/Manual:$wgSessionCacheType | object storage ]]. **Proposed Solution** When a user logs in, a cookie could be set that contains a [[ https://jwt.io/ | JWT ]]. This token would contain a verified claim of the user's logged in status. This allows the session to be transfered from the client to the server on each request and prevents the server from storing the state of the user's logged-in state. This makes authorization //stateless//. MediaWiki would still be able to use the existing features like "Keep me logged in." Perhaps a session handler like [[ https://github.com/byjg/jwt-session | byjg/jwt-session ]] could be used.