Page MenuHomePhabricator
Create Task
Maniphest T159567

PHP session.auto_start = true makes MediaWiki unable to save sessions
Open, LowPublic
Actions

Description

On MediaWiki 1.27, 1.28 and current master, if in php.ini you have session.auto_start = 1, then users are unable to login. Logging in just keeps creating new session IDs (as we can see in the session cookie).

As a bonus, if we also have session.hash_bits_per_character = 6, on MediaWiki 1.27 (this doesn't happen on 1.28) when opening the site for the first time (or with private browsing) we get:

Exception encountered, of type "InvalidArgumentException"

If we can't prevent this from happening when session.auto_start is enabled, we should emit at least an informative error message on the login page, and of course an error in the installer.

Outcome

Either restore support fore session.auto_start=1 (like before MW 1.28), or document that this is not supported, detect it during the installer, and fail at run-time (e.g. from PHPSessionHandler).

Event Timeline

Ciencia_Al_Poder created this task.Mar 3 2017, 7:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2017, 7:12 PM
Anomie added a comment.Mar 3 2017, 7:13 PM

Do you happen to have MediaWiki's session cookie configured to be the same as PHP's?

Ciencia_Al_Poder added a comment.Mar 3 2017, 7:43 PM

I haven't touched any variable in LocalSettings.php regarding sessions, just the standard variables set on install.

Krinkle added projects: MW-1.30-release, MW-1.31-release.Apr 18 2018, 12:18 AM
Krinkle moved this task from Backlog to Core on the MW-1.31-release board.Apr 18 2018, 6:08 PM
Anomie removed a project: MW-1.31-release.May 15 2018, 1:13 PM
From IRC:

<no_justification> anomie: Is this...not really a blocker? T159567
<anomie> no_justification: T159567 has been around for a while, hasn't blocked, and hasn't had anyone else reporting it. I suspect it happens if PHP's automatic session cookie collides with MediaWiki's session cookie.
<no_justification> Would you mind de-tagging it with something to that affect?

Krinkle added a project: MW-1.31-release.Jun 14 2018, 10:47 PM
Krinkle subscribed.

Re-adding to remember to backport when this is fixed. The untagging seems somewhat confusing. If this fatal isn't considered blocking, should the task be declined then? Or un-tagged from 1.27 as well meaning we won't backport from master to previous releases if/when this is fixed?

Krinkle edited projects, added Regression; removed MW-1.31-release, MW-1.30-release.Jan 14 2019, 8:03 PM
Krinkle removed a project: MW-1.27-release.
Ciencia_Al_Poder added a comment.Jul 16 2020, 3:14 PM

This is still current as of MediaWiki 1.34.2 and PHP 7.3, as reported here

Krinkle added a project: Platform Engineering.Jul 16 2020, 3:43 PM
Krinkle unsubscribed.
Krinkle updated the task description. (Show Details)Jul 16 2020, 3:45 PM
Krinkle updated the task description. (Show Details)
eprodromou triaged this task as Low priority.Jul 21 2020, 8:51 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou subscribed.

Seem like the right thing to do is document the incompatibility.

eprodromou moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.Jul 21 2020, 8:51 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL