Disable PHPSessionHandler in Wikimedia production
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tgr
	Apr 11 2024, 12:17 PM

Description

PHPSessionHandler registers SessionManager as a PHP session handler, which means that SessionManager methods are invoked (through PHPSessionHandler methods) at various points in the request lifetime. This is in theory only necessary for compatibility with extension code which uses PHP session handling ($_SESSION, session_start() etc), which hopefully doesn't happen anymore as it was deprecated a decade ago.

In practice though, I don't think disabling PHPSessionHandler was ever tried on any large wiki, so it needs some testing. Nevertheless, it's worth doing this in Wikimedia production - it makes the system much easier to reason about, and probably yields some performance improvement too.

We'd have to set $wgPHPSessionHandling = 'warn', run for a few weeks to see if there are any warnings, then set $wgPHPSessionHandling = 'disable' and watch another few weeks for errors. If all goes well, eventually we'll probably want to follow with an identical change in the MediaWiki default config as well.

Details

Other Assignee: Hokwelum

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Set $wgPHPSessionHandling to 'disable' on remaining wikis	operations/mediawiki-config	master	+1 -7
Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis"	operations/mediawiki-config	master	+1 -0
Revert^2 "Set $wgPHPSessionHandling to 'disable' on group0 wikis"	operations/mediawiki-config	master	+1 -1
Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis"	operations/mediawiki-config	master	+0 -1
Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis"	operations/mediawiki-config	master	+1 -1
Set $wgPHPSessionHandling to 'disable' on group0 wikis	operations/mediawiki-config	master	+1 -1
Set $wgPHPSessionHandling to 'disable' on group1 wikis	operations/mediawiki-config	master	+1 -0
Set wgPHPSessionHandling to 'warn' again	operations/mediawiki-config	master	+1 -1
Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster	operations/mediawiki-config	master	+5 -0
Set wgPHPSessionHandling to 'warn'	operations/mediawiki-config	master	+5 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		JTweed-WMF	T398814 WE5.1.1 Session storage protection
Resolved		JTweed-WMF	T400365 Support multiple session stores
Resolved		matmarex	T362324 Disable PHPSessionHandler in Wikimedia production
Resolved		Tgr	T124371 Clean up usage of $_SESSION in WMF-deployed extensions
Resolved		Florian	T132251 CentralNotice shouldn't use wfSetupSession() anymore
Resolved	PRODUCTION ERROR	pmiazga	T162910 Update Collection not to use deprecated wfSetupSession call
Resolved	PRODUCTION ERROR	Jdforrester-WMF	T186339 Update SecurePoll not to use deprecated wfSetupSession call
Resolved	PRODUCTION ERROR	Tgr	T393963 PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)]
Resolved		Hokwelum	T400667 Make all SessionManager tests pass with PHPSessionHandler disabled
Resolved		matmarex	T400668 Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production
Resolved		matmarex	T402602 Storing objects in session data causes unnecessary session writes, and emits spurious warnings with $wgPHPSessionHandling = 'warn'
Resolved		matmarex	T403519 Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token.

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Tgr added a subtask: T124371: Clean up usage of $_SESSION in WMF-deployed extensions.Apr 11 2024, 12:24 PM

TK-999 subscribed.Apr 11 2024, 12:59 PM

Mainframe98 subscribed.Apr 11 2024, 1:17 PM

• larissagaulia moved this task from Inbox, needs triage to Within 2 Qs on the MediaWiki-Platform-Team board.Apr 15 2024, 3:23 PM

JTweed-WMF edited projects, added MediaWiki-Platform-Team (Roadmap); removed MediaWiki-Platform-Team.Jan 22 2025, 3:51 PM

JTweed-WMF moved this task from Now => Move to Inbox to Later => Move to Inbox on the MediaWiki-Platform-Team (Roadmap) board.

Tgr mentioned this in T392251: SessionBackend seems to store session changes too often.Apr 17 2025, 5:52 PM

Change #1140725 had a related patch set uploaded (by Máté Szabó; author: Máté Szabó):

[operations/mediawiki-config@master] Set wgPHPSessionHandling to 'warn' on testwiki

https://gerrit.wikimedia.org/r/1140725

gerritbot added a project: Patch-For-Review.May 2 2025, 2:58 PM

Tgr edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Roadmap).May 11 2025, 6:48 PM

Tgr moved this task from Within 2 Qs to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Change #1144497 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable'

https://gerrit.wikimedia.org/r/1144497

Change #1140725 merged by jenkins-bot:

[operations/mediawiki-config@master] Set wgPHPSessionHandling to 'warn'

https://gerrit.wikimedia.org/r/1140725

Mentioned in SAL (#wikimedia-operations) [2025-05-12T12:36:23Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1143962|Get rid of ancient session_name call (T124371)]], [[gerrit:1144495|Do not use $_SESSION (T29887 T124371)]], [[gerrit:1140725|Set wgPHPSessionHandling to 'warn' (T362324)]]

Mentioned in SAL (#wikimedia-operations) [2025-05-12T12:52:41Z] <tgr@deploy1003> tgr, mszabo: Backport for [[gerrit:1143962|Get rid of ancient session_name call (T124371)]], [[gerrit:1144495|Do not use $_SESSION (T29887 T124371)]], [[gerrit:1140725|Set wgPHPSessionHandling to 'warn' (T362324)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2025-05-12T13:08:36Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1143962|Get rid of ancient session_name call (T124371)]], [[gerrit:1144495|Do not use $_SESSION (T29887 T124371)]], [[gerrit:1140725|Set wgPHPSessionHandling to 'warn' (T362324)]] (duration: 32m 12s)

Tgr closed subtask T124371: Clean up usage of $_SESSION in WMF-deployed extensions as Resolved.May 12 2025, 1:40 PM

Tgr claimed this task.May 12 2025, 1:51 PM

Krinkle awarded a token.May 12 2025, 2:20 PM

errors

I think it's bogus, PHPSessionHandler gets confused when the session is dirty on shutdown. The order of things is probably wrong in SessionManager::shutdown().

(But note also that zero errors wouldn't necessarily make this a no-op change. Even when the deprecation logging isn't triggered, it perturbs the order of session handling function calls quite a bit.)

Umherirrender mentioned this in T393963: PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)].May 12 2025, 8:35 PM

Tgr added a subtask: T393963: PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)].May 12 2025, 8:52 PM

Tgr moved this task from In progress (DO NOT USE) to Waiting on the MediaWiki-Platform-Team board.Jun 3 2025, 1:51 PM

matmarex subscribed.Jun 10 2025, 6:05 PM

Change #1155299 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster

https://gerrit.wikimedia.org/r/1155299

Change #1155299 merged by jenkins-bot:

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster

https://gerrit.wikimedia.org/r/1155299

Mentioned in SAL (#wikimedia-operations) [2025-06-11T13:56:58Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1155299|Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster (T362324)]], [[gerrit:1155303|Stop logging $wgPHPSessionHandling warnings for now (T393963)]]

Mentioned in SAL (#wikimedia-operations) [2025-06-11T13:59:08Z] <lucaswerkmeister-wmde@deploy1003> matmarex, lucaswerkmeister-wmde: Backport for [[gerrit:1155299|Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster (T362324)]], [[gerrit:1155303|Stop logging $wgPHPSessionHandling warnings for now (T393963)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-06-11T14:08:12Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1155299|Set $wgPHPSessionHandling to 'disable' on testwiki and beta cluster (T362324)]], [[gerrit:1155303|Stop logging $wgPHPSessionHandling warnings for now (T393963)]] (duration: 11m 14s)

matmarex closed subtask T393963: PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)] as Resolved.Jun 11 2025, 2:50 PM

Tgr moved this task from Waiting to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Jun 30 2025, 12:20 PM

matmarex moved this task from In progress (DO NOT USE) to Inbox, needs triage on the MediaWiki-Platform-Team board.Jul 26 2025, 1:49 AM

JTweed-WMF added a parent task: T400365: Support multiple session stores.Jul 28 2025, 2:43 PM

JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.

JTweed-WMF moved this task from Needs refinement to Next (DO NOT USE) on the MediaWiki-Platform-Team board.

matmarex claimed this task.Jul 28 2025, 2:43 PM

matmarex added subtasks: T400667: Make all SessionManager tests pass with PHPSessionHandler disabled, T400668: Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production.Jul 29 2025, 2:52 AM

Change #1181697 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[operations/mediawiki-config@master] Set wgPHPSessionHandling to 'warn' again

https://gerrit.wikimedia.org/r/1181697

Change #1181697 merged by jenkins-bot:

[operations/mediawiki-config@master] Set wgPHPSessionHandling to 'warn' again

https://gerrit.wikimedia.org/r/1181697

Mentioned in SAL (#wikimedia-operations) [2025-08-25T13:13:36Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1181695|PHPSessionHandler: In warn mode, report the changed keys (T400668)]], [[gerrit:1181697|Set wgPHPSessionHandling to 'warn' again (T362324)]]

Mentioned in SAL (#wikimedia-operations) [2025-08-25T13:20:04Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister-wmde, matmarex: Backport for [[gerrit:1181695|PHPSessionHandler: In warn mode, report the changed keys (T400668)]], [[gerrit:1181697|Set wgPHPSessionHandling to 'warn' again (T362324)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-08-25T13:26:50Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1181695|PHPSessionHandler: In warn mode, report the changed keys (T400668)]], [[gerrit:1181697|Set wgPHPSessionHandling to 'warn' again (T362324)]] (duration: 13m 14s)

matmarex closed subtask T400668: Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production as Resolved.Aug 26 2025, 1:51 PM

matmarex closed subtask T400667: Make all SessionManager tests pass with PHPSessionHandler disabled as Resolved.Aug 27 2025, 5:28 PM

matmarex moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Aug 28 2025, 2:10 PM

matmarex updated Other Assignee, added: Hokwelum.

Change #1182857 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on group0 wikis

https://gerrit.wikimedia.org/r/1182857

Change #1182857 merged by jenkins-bot:

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on group0 wikis

https://gerrit.wikimedia.org/r/1182857

Mentioned in SAL (#wikimedia-operations) [2025-08-28T20:06:12Z] <dancy@deploy1003> Started scap sync-world: Backport for [[gerrit:1182857|Set $wgPHPSessionHandling to 'disable' on group0 wikis (T362324)]]

Mentioned in SAL (#wikimedia-operations) [2025-08-28T20:10:12Z] <dancy@deploy1003> hokwelum, dancy: Backport for [[gerrit:1182857|Set $wgPHPSessionHandling to 'disable' on group0 wikis (T362324)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-08-28T20:20:08Z] <dancy@deploy1003> Finished scap sync-world: Backport for [[gerrit:1182857|Set $wgPHPSessionHandling to 'disable' on group0 wikis (T362324)]] (duration: 13m 56s)

Change #1183741 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on group1 wikis

https://gerrit.wikimedia.org/r/1183741

Change #1183741 merged by jenkins-bot:

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on group1 wikis

https://gerrit.wikimedia.org/r/1183741

Mentioned in SAL (#wikimedia-operations) [2025-09-02T13:42:41Z] <kartik@deploy1003> Finished scap sync-world: Backport for [[gerrit:1183741|Set $wgPHPSessionHandling to 'disable' on group1 wikis (T362324)]] (duration: 17m 28s)

LucasWerkmeister mentioned this in T403519: Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token..Sep 2 2025, 7:34 PM

Change #1184161 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[operations/mediawiki-config@master] Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis"

https://gerrit.wikimedia.org/r/1184161

Change #1184161 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis"

https://gerrit.wikimedia.org/r/1184161

Mentioned in SAL (#wikimedia-operations) [2025-09-02T21:01:36Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1184161|Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324 T403519)]]

Mentioned in SAL (#wikimedia-operations) [2025-09-02T21:06:20Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister-wmde, lucaswerkmeister: Backport for [[gerrit:1184161|Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324 T403519)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-09-02T21:15:03Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1184161|Revert "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324 T403519)]] (duration: 13m 27s)

Change #1184166 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[operations/mediawiki-config@master] Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis"

https://gerrit.wikimedia.org/r/1184166

Change #1184166 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis"

https://gerrit.wikimedia.org/r/1184166

Mentioned in SAL (#wikimedia-operations) [2025-09-02T21:55:54Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1184166|Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis" (T362324 T403519)]]

Mentioned in SAL (#wikimedia-operations) [2025-09-02T22:00:16Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister, lucaswerkmeister-wmde: Backport for [[gerrit:1184166|Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis" (T362324 T403519)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-09-02T22:05:57Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1184166|Revert "Set $wgPHPSessionHandling to 'disable' on group0 wikis" (T362324 T403519)]] (duration: 10m 03s)

The deployments to group1 and group0 were reverted due to causing T403519. $wgPHPSessionHandling = 'disable' currently remains set only on testwiki. We'll need to debug that issue before attempting the rollout again.

matmarex added a subtask: T403519: Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token..Sep 2 2025, 11:18 PM

Change #1187065 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[operations/mediawiki-config@master] Revert^2 "Set $wgPHPSessionHandling to 'disable' on group0 wikis"

https://gerrit.wikimedia.org/r/1187065

Change #1187066 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[operations/mediawiki-config@master] Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis"

https://gerrit.wikimedia.org/r/1187066

Change #1187065 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert^2 "Set $wgPHPSessionHandling to 'disable' on group0 wikis"

https://gerrit.wikimedia.org/r/1187065

Change #1187066 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis"

https://gerrit.wikimedia.org/r/1187066

Mentioned in SAL (#wikimedia-operations) [2025-09-10T20:27:38Z] <reedy@deploy1003> Started scap sync-world: Backport for [[gerrit:1187062|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187063|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187066|Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324)]], [[gerrit:1187065|Revert^2 "Set $wgPHPSessionHandling to 'disable'

Mentioned in SAL (#wikimedia-operations) [2025-09-10T20:32:07Z] <reedy@deploy1003> reedy, matmarex: Backport for [[gerrit:1187062|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187063|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187066|Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324)]], [[gerrit:1187065|Revert^2 "Set $wgPHPSessionHandling to 'disable' on grou

Mentioned in SAL (#wikimedia-operations) [2025-09-10T20:41:47Z] <reedy@deploy1003> Finished scap sync-world: Backport for [[gerrit:1187062|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187063|ApiQueryTokens: Persist any new token, instead of depending on the type (T403519)]], [[gerrit:1187066|Revert^2 "Set $wgPHPSessionHandling to 'disable' on group1 wikis" (T362324)]], [[gerrit:1187065|Revert^2 "Set $wgPHPSessionHandling to 'disable

We're back to group0 and group1 after fixing that bug. We should wait a few days and roll out to the remaining wikis (group2) if no new issues are reported.

Change #1144497 had a related patch set uploaded (by Bartosz Dziewoński; author: Gergő Tisza):

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on remaining wikis

https://gerrit.wikimedia.org/r/1144497

Change #1144497 merged by jenkins-bot:

[operations/mediawiki-config@master] Set $wgPHPSessionHandling to 'disable' on remaining wikis

https://gerrit.wikimedia.org/r/1144497

Mentioned in SAL (#wikimedia-operations) [2025-09-15T14:14:28Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1144497|Set $wgPHPSessionHandling to 'disable' on remaining wikis (T362324)]]

Mentioned in SAL (#wikimedia-operations) [2025-09-15T14:20:18Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister-wmde, tgr: Backport for [[gerrit:1144497|Set $wgPHPSessionHandling to 'disable' on remaining wikis (T362324)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-09-15T14:30:18Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1144497|Set $wgPHPSessionHandling to 'disable' on remaining wikis (T362324)]] (duration: 15m 49s)

This is done, we're not seeing any related errors in the logs and no one seems to be complaining.

Filed T404636: Deprecate PHPSessionHandler and $wgPHPSessionHandling for deprecating and eventually removing these features from MediaWiki entirely.

DAlangi_WMF awarded a token.Sep 15 2025, 6:50 PM

Tgr mentioned this in T404691: RenderTranslationPageJob: Sessions can only be imported when none is active..Sep 23 2025, 5:31 PM

Disable PHPSessionHandler in Wikimedia productionClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Disable PHPSessionHandler in Wikimedia production
Closed, ResolvedPublic
Actions

Related Objects
Search...