Task T215533: Enable use of session storage service in MediaWiki, as part of T206016: Create a service for session storage and in support of T88445: MediaWiki active/active datacenter investigation and work (tracking), modified RESTBagOStuff for use in storing sessions in the external Kask service. With T161647: RFC: Deprecate using php serialization inside MediaWiki in mind, it serialized sessions to JSON.
However, this caused T233146: Cannot enable 2FA on testwiki and per discussion in T233537: Document and communicate potentially breaking session storage serialization change breaks backward compatibility without deprecation. Because the release of mediawiki 1.34 is fast approaching, we need a solution that allows Kask development/rollout to continue, while still respecting the deprecation policy.
To solve this, recognize an additional value in the $params passed to the constructor to specify serialization type, with choices "PHP" and "JSON", with a default of "PHP".
This has the following benefits (copied from T233537, for more context see the discussion there):
- maintains backward compatibility for any existing callers (even though we are not aware of any)
- still allows us to use JSON for sessions stored in Kask if we choose to (we'd just specify "JSON" in the config)
- permanently avoids the need for autodetect backward compatibility code. If we use JSON for sessions stored in Kask, we can migrate production via MultiWriteBagOStuff. Any other callers will find the new serialization type option helpful should they also choose to migrate
- allows us to deprecate then remove PHP serialization from RESTBagOStuff in a friendly and deprecation-policy-compliant way, should we choose to do so
- lets us get 1.34 out the door cleanly.
Additionally, add an optional 'hmac_key' $params value. If included, it will be used to protect the serialized blob.