Page MenuHomePhabricator
Create Task
Maniphest T400667

Make all SessionManager tests pass with PHPSessionHandler disabled
Closed, ResolvedPublic
Actions

Description

  • Set $wgPHPSessionHandling = 'disable' in your LocalSettings
  • Find any tests for SessionManager or other session-adjacent features that fail under that configuration
    • If the test primarily tests the PHPSessionHandler class, make it pass using $this->overrideConfigValue( ... )
    • If the test is more generic, find a way to make it pass regardless of the config, or split it into two tests (one with $wgPHPSessionHandling set to 'disable', another with it set to 'enable')

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
[DNM] test disabled $wgPHPSessionHandlingmediawiki/extensions/CentralAuthmaster+1 -0
Fix failing test when PHPSessionHandler is set to disablemediawiki/coremaster+12 -0
[DNM] set $wgPHPSessionHandling to disablemediawiki/coremaster+3 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Jul 29 2025, 2:51 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJul 29 2025, 2:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
matmarex added a parent task: T362324: Disable PHPSessionHandler in Wikimedia production.Jul 29 2025, 2:52 AM
matmarex claimed this task.Jul 31 2025, 10:30 PM
matmarex moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.
matmarex removed matmarex as the assignee of this task.Aug 12 2025, 10:42 PM
matmarex updated the task description. (Show Details)
matmarex added a subscriber: Hokwelum.
Hokwelum claimed this task.Aug 15 2025, 6:05 PM
Hokwelum added a comment.Aug 18 2025, 4:24 PM

So I tried doing this locally by adding $wgPHPSessionHandling = 'disable'; to my localsettings and running: ./vendor/bin/phpunit tests/phpunit/includes/session/.

it returned:

OK (138 tests, 1280 assertions)

Tgr subscribed.Aug 19 2025, 9:14 AM

Yeah, my bad. I actually saw the error in warn mode, not disable mode:

1) MediaWiki\Tests\Session\SessionBackendTest::testResetIdOfGlobalSession
Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)]

/vagrant/mediawiki/includes/debug/MWDebug.php:386
/vagrant/mediawiki/includes/debug/MWDebug.php:357
/vagrant/mediawiki/includes/debug/MWDebug.php:238
/vagrant/mediawiki/includes/GlobalFunctions.php:787
/vagrant/mediawiki/includes/session/PHPSessionHandler.php:331
/vagrant/mediawiki/includes/session/SessionBackend.php:271
/vagrant/mediawiki/tests/phpunit/includes/session/SessionBackendTest.php:1014

Apparently the test overrides the enable flag (so it doesn't break when you disable PHP session handling) but doesn't override the warn flag.

Tgr added a comment.Aug 19 2025, 9:19 AM

But just to be sure, you could check the normal CI pipeline: create a patch where you change the default value of $wgPHPSessionHandling to disable, label it as a test patch (we usually prefix the commit message with something like [DNM] or [POC]), create an empty CentralAuth patch that depends on it (I think CentralAuth is the only Wikimedia extension that heavily interacts with session handling), upload them to Gerrit and see if they pass CI.

gerritbot added a comment.Aug 19 2025, 8:45 PM

Change #1180221 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[mediawiki/core@master] [DNM] set $wgPHPSessionHandling to disable

https://gerrit.wikimedia.org/r/1180221

gerritbot added a project: Patch-For-Review.Aug 19 2025, 8:45 PM
gerritbot added a comment.Aug 19 2025, 9:01 PM

Change #1180225 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[mediawiki/extensions/CentralAuth@master] [DNM] test disabled $wgPHPSessionHandling

https://gerrit.wikimedia.org/r/1180225

matmarex added a comment.Aug 20 2025, 7:42 PM

From the test patch:

There were 2 failures:

1) MediaWiki\Tests\Api\ApiLoginTest::testDeprecatedUserLogin with data set "Bot passwords enabled" (true)
Failed asserting that two arrays are identical.
--- Expected
+++ Actual
@@ @@
 Array &0 (
     'result' => 'Success'
-    'lguserid' => 1
-    'lgusername' => 'TestUser 31a86d.27e'
+    'lguserid' => 2
+    'lgusername' => 'UTSysop'
 )

/workspace/src/tests/phpunit/includes/api/ApiLoginTest.php:110


2) MediaWiki\Tests\Api\ApiLoginTest::testDeprecatedUserLogin with data set "Bot passwords disabled" (false)
Failed asserting that two arrays are identical.
--- Expected
+++ Actual
@@ @@
 Array &0 (
     'result' => 'Success'
-    'lguserid' => 1
-    'lgusername' => 'TestUser 31a86d.280'
+    'lguserid' => 2
+    'lgusername' => 'UTSysop'
 )

/workspace/src/tests/phpunit/includes/api/ApiLoginTest.php:110
Tgr added a comment.Aug 20 2025, 8:04 PM

That's a scary error. I guess an existing session is somehow being reused in ApiTestCase::doApiRequest()?

Hokwelum added a comment.Aug 21 2025, 1:35 PM

@matmarex, were you able to reproduce the failed test locally?

Hokwelum added a comment.Aug 21 2025, 1:51 PM

To replicate the errors, I had to do $this->overrideConfigValue( CAMainConfigNames::CentralAuthEnableSul3, false ); in APiLoginTest.

matmarex added a comment.Aug 23 2025, 12:46 AM

Yes, I can reproduce it locally. I was testing with CentralAuth not being installed, since it interferes with many of the core auth/session tests (since it intentionally changes the behavior that they are testing).

gerritbot added a comment.Aug 26 2025, 7:49 PM

Change #1182208 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[mediawiki/core@master] Fix failing test when PHPSessionHandler is set to disable

https://gerrit.wikimedia.org/r/1182208

gerritbot added a comment.Aug 27 2025, 5:19 PM

Change #1182208 merged by jenkins-bot:

[mediawiki/core@master] Fix failing test when PHPSessionHandler is set to disable

https://gerrit.wikimedia.org/r/1182208

matmarex added a comment.Aug 27 2025, 5:27 PM

For the record, I manually tested the same workflow as in the failing test with $wgPHPSessionHandling = 'disable' (logging in with the legacy action=login API while logged in as another user) and it works correctly.

I did some debugging and it looks like ApiLogin reads out the user data from a different Session object than the one which AuthManager writes to. I haven't dug deep enough to figure out why this happens (probably some incomplete mocking/resetting somewhere), or why enabling PHPSessionHandler makes it work.

matmarex closed this task as Resolved.Aug 27 2025, 5:28 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.17; 2025-09-02).Aug 27 2025, 6:00 PM
gerritbot added a comment.Aug 27 2025, 7:55 PM

Change #1180225 abandoned by Hokwelum:

[mediawiki/extensions/CentralAuth@master] [DNM] test disabled $wgPHPSessionHandling

Reason:

Not needed!

https://gerrit.wikimedia.org/r/1180225

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits