Page MenuHomePhabricator
Create Task
Maniphest T402602

Storing objects in session data causes unnecessary session writes, and emits spurious warnings with $wgPHPSessionHandling = 'warn'
Closed, ResolvedPublic
Actions

Description

The debug warnings we've recorded in T400668 did not have anything interesting in them, so I decided to very carefully read the PHPSessionHandler::write() method, which emits these warnings, and look for holes in the logic.

I noticed that it does some === comparisons on arbitrary deserialized data, which wouldn't work as expected if that data could contain any PHP objects, and it turns out that it can. As a result, storing objects in session data causes unnecessary session writes (which probably explains at least some of the shutdown writes we've seen in T400249) and emits spurious warnings with $wgPHPSessionHandling = 'warn' (which hopefully explains all of the warnings we've seen in T400668).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
PHPSessionHandler: Better handle objects stored in the sessionmediawiki/corewmf/1.45.0-wmf.15+29 -0
Add test for I9d67e5bmediawiki/coremaster+13 -0
PHPSessionHandler: Better handle objects stored in the sessionmediawiki/coremaster+29 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Aug 21 2025, 10:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2025, 10:47 PM
matmarex claimed this task.Aug 21 2025, 10:47 PM
matmarex mentioned this in T400668: Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production.
matmarex added a parent task: T400668: Debug warnings that were recorded with $wgPHPSessionHandling = 'warn' in WMF production.
matmarex moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
gerritbot added a comment.Aug 21 2025, 11:15 PM

Change #1181002 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] PHPSessionHandler: Better handle objects stored in the session

https://gerrit.wikimedia.org/r/1181002

gerritbot added a project: Patch-For-Review.Aug 21 2025, 11:15 PM
matmarex mentioned this in T393963: PHP Deprecated: Use of $_SESSION was deprecated in MediaWiki 1.27. [Called from session_write_close in (internal function)].Aug 21 2025, 11:57 PM
gerritbot added a comment.Aug 25 2025, 9:03 PM

Change #1181780 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] Add test for I9d67e5b

https://gerrit.wikimedia.org/r/1181780

gerritbot added a comment.Aug 25 2025, 9:13 PM

Change #1181002 merged by jenkins-bot:

[mediawiki/core@master] PHPSessionHandler: Better handle objects stored in the session

https://gerrit.wikimedia.org/r/1181002

gerritbot added a comment.Aug 25 2025, 9:15 PM

Change #1181782 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@wmf/1.45.0-wmf.15] PHPSessionHandler: Better handle objects stored in the session

https://gerrit.wikimedia.org/r/1181782

gerritbot added a comment.Aug 25 2025, 9:45 PM

Change #1181780 merged by jenkins-bot:

[mediawiki/core@master] Add test for I9d67e5b

https://gerrit.wikimedia.org/r/1181780

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.16; 2025-08-26).Aug 25 2025, 10:00 PM
gerritbot added a comment.Aug 26 2025, 1:20 PM

Change #1181782 merged by jenkins-bot:

[mediawiki/core@wmf/1.45.0-wmf.15] PHPSessionHandler: Better handle objects stored in the session

https://gerrit.wikimedia.org/r/1181782

Stashbot added a comment.Aug 26 2025, 1:20 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-26T13:20:42Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1181782|PHPSessionHandler: Better handle objects stored in the session (T402602)]], [[gerrit:1181788|Add maint script to fix global edit count of renamed users (T313900)]], [[gerrit:1181789|Add maint script to fix wrong actors in local log entries for global renames (T398177)]]

Stashbot mentioned this in T313900: Renaming a user doubles their edit count according to CentralAuthUser::getGlobalEditCount() / global_edit_count.gec_count field.Aug 26 2025, 1:20 PM
Stashbot mentioned this in T398177: 'renameuser' logs for a global rename use actor ID from metawiki instead of the local one when created by the fixStuckGlobalRename.php script.
Stashbot added a comment.Aug 26 2025, 1:27 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-26T13:26:59Z] <lucaswerkmeister-wmde@deploy1003> matmarex, lucaswerkmeister-wmde: Backport for [[gerrit:1181782|PHPSessionHandler: Better handle objects stored in the session (T402602)]], [[gerrit:1181788|Add maint script to fix global edit count of renamed users (T313900)]], [[gerrit:1181789|Add maint script to fix wrong actors in local log entries for global renames (T398177)]] synced to the testservers (see https://wikitech.wikim

Maintenance_bot removed a project: Patch-For-Review.Aug 26 2025, 1:30 PM
Stashbot added a comment.Aug 26 2025, 1:33 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-26T13:33:37Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1181782|PHPSessionHandler: Better handle objects stored in the session (T402602)]], [[gerrit:1181788|Add maint script to fix global edit count of renamed users (T313900)]], [[gerrit:1181789|Add maint script to fix wrong actors in local log entries for global renames (T398177)]] (duration: 12m 54s)

matmarex closed this task as Resolved.Aug 26 2025, 1:50 PM

No more warnings since the deployment: https://logstash.wikimedia.org/goto/52a5435c02284314fb7190afb24eb9c4

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.15; 2025-08-19); removed MW-1.45-notes (1.45.0-wmf.16; 2025-08-26).Aug 26 2025, 2:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits