Requests for comment/SessionStorageAPI

This is a request for comment for a multi-master session storage service interface.

Background
Ideally, sensitive data in Mediawiki would be isolated to limit the impact in the event of a compromise. Sessions are a good example of this; Were a malicious user able to obtain arbitrary session data, they would be able to hijack other user's sessions (including for example, those of admin users). In Mediawiki, these sessions are stored using a (configurable) BagOStuff implementation, specifically a RedisBagOStuff in the Wikimedia production environment. While this does provide some isolation, it remains possible to enumerate sessions if an attacker were able to obtain a reference to the Redis connection object. Storing sessions to an external service that exposes a narrow API, nothing more than required to store, retrieve, and delete sessions, safeguards against this type of exposure.

Additionally, a need has emerged for sessions to be global; In order to realize our objective of being active-active, sessions created in one data-center should be available in the other. Accomplishing this in a robust and secure way will require replication semantics more sophisticated than those available to us with Redis.

This document proposes an implementation of a key-value storage service, with master-master replication, for use in multi-DC session management.

Versioning
A global URI versioning (e.g. ) following the principles of semantic versioning is proposed. Content changes and bug fixes will fall under minor and patch changes, respectfully, and will not result in a major version change as they are expected to be backward-compatible. An attempt will be made to avoid, major changes such as removing or changing an endpoint as they’ll result in a new major API version.

Information regarding major, minor, and patch changes will be maintained in a changelog. Meanwhile, support for older versions will be maintained until use has fallen under a certain threshold. Once use has fallen, there will be an implementation of Sunset header to notify users that the endpoint and/or versions will become deprecated.