As part of T206016: Create a service for session storage and T161647: RFC: Deprecate using php serialization inside MediaWiki, we implemented T215533: Enable use of session storage service in MediaWiki and T222099: Staging release of RESTBagOStuff using Kask. In summary, this modified RESTBagOStuff to serialize session information to JSON and store it in the new Kask session storage service (implemented in Cassandra and sitting behind a REST API). This is part of the long-term goals of production active/active datacenters and eliminating use of PHP serialization.
However, this mangles PHP objects, which affected MediaWiki-extensions-OathAuth . This extension is being adjusted, but this breaking change was a surprise to its developers, caused confusion, and took some time to track down.
Help avoid affecting others by properly documenting this change:
- update WebRequest::setSessionData() documentation to indicate "proper" objects are not allowed
- corresponding update to Session::set() documentation, and probably also a note in the class comment
- corresponding update to functions with RESTBagOStuff, and probably also a note in the class comment
- add something to RELEASE-NOTES
- emails to mediawiki-l and wikitech-l
- search for and update any relevant documentation on mediawiki.org
I'm adding as subscribers people who commented on T222099, where this was discussed. Feel free to unsubscribe yourself if you like.