Author: beiro
Description:
When submitting, SubmitAction#show() is executed, which runs wfSetupSession(). This is a problem for extensions using the UserLoadFromSession hook, as the SubmitAction is called before the UserLoadFromSession hook.
My extension does it's own session management, using the PHP session manager. When MediaWiki suddenly runs its own session_start(), it will create a different session (with a different session name and session id).
How to reproduce:
- Install an extension that will handle sessions. Mine is https://www.mediawiki.org/wiki/Extension:SimpleSamlAuth
- Clear cookies
- Visit your wiki and log in
- Observe cookies (only SAML cookies are set)
- Make a change (it will fail the first time, due to the cookie missing)
- Observe cookies (both SAML and MediaWiki cookies are set)
Actual results:
MediaWiki will, despite a UserLoadFromSession hook being configured, set it's own cookie and create it's own session upon submit.
Expected results:
MediaWiki will never set its own cookie because a hook is set.
Note:
- A lot of UserLoadFromSession extensions I have observed call wfSetupSession() themselves. I think this is not how the hooks are supposed to work, but this would solve my problem.
Version: 1.22.6
Severity: normal