Requests for comment/SessionStorageAPI

This is a request for comment for a multi-master session storage service interface.

Tracked in Phabricator Task T206010 Request for comment (RFC) SessionStorageAPI Component General Creation date 17 October 2018 Author(s) User:EEvans (WMF), User:CAndrew (WMF) Document status implemented See Phabricator.

Background
A need has emerged for sessions to be valid fleet-wide; In order to realize our objective of being active-active, sessions created in one data-center should be available in the other. Accomplishing this in a robust and secure way will require replication semantics more sophisticated than those available to us with Redis.

Additionally, sensitive data in MediaWiki should be isolated where possible to limit impact in the event of a compromise. Sessions are an example of this; Were a malicious user able to enumerate sessions, they would be able to discover and hijack user logins (including for example, those of admins). Persisting to an external service that exposes a narrow API, nothing more than required to store, retrieve, and delete sessions, is in-line with the principle of least privilege, and may safeguard against some classes of unintentional exposure.

Proposal
This document proposes an implementation of a key-value storage service, with master-master replication, for use in multi-DC session management.

Versioning
A global version that follows the principles of semantic versioning is proposed. Backward-compatible changes to representations, and bug fixes will fall under minor and patch changes respectfully. Changes to the major are reserved for backward-incompatible (read: breaking) changes. Every effort will be made to avoid breaking changes, however should they become necessary, a major-version prefix in the URI (e.g. ) will provide the means to preserve compatibility during a transition.