Page MenuHomePhabricator

Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
Closed, ResolvedPublic

Description

Author: beiro

Description:
When submitting, SubmitAction#show() is executed, which runs wfSetupSession(). This is a problem for extensions using the UserLoadFromSession hook, as the SubmitAction is called before the UserLoadFromSession hook.

My extension does it's own session management, using the PHP session manager. When MediaWiki suddenly runs its own session_start(), it will create a different session (with a different session name and session id).

How to reproduce:

  1. Install an extension that will handle sessions. Mine is https://www.mediawiki.org/wiki/Extension:SimpleSamlAuth
  2. Clear cookies
  3. Visit your wiki and log in
  4. Observe cookies (only SAML cookies are set)
  5. Make a change (it will fail the first time, due to the cookie missing)
  6. Observe cookies (both SAML and MediaWiki cookies are set)

Actual results:
MediaWiki will, despite a UserLoadFromSession hook being configured, set it's own cookie and create it's own session upon submit.

Expected results:
MediaWiki will never set its own cookie because a hook is set.

Note:

  • A lot of UserLoadFromSession extensions I have observed call wfSetupSession() themselves. I think this is not how the hooks are supposed to work, but this would solve my problem.

Version: 1.22.6
Severity: normal

Details

Reference
bz65493

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:23 AM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz65493.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.May 19 2014, 4:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2015, 6:46 PM
Tgr added a subscriber: Tgr.

AuthManager deprecates wfSetupSession and UserLoadFromSession and centralizes session handling so that you can fully replace the default session handler with your own.

Anomie closed this task as Resolved.Jun 16 2016, 4:15 PM
Anomie claimed this task.
Anomie added a subscriber: Anomie.

Sessions are now started during Setup.php, and wfSetupSession and UserLoadFromSession are both deprecated in 1.27. Your extension will need rewriting for SessionManager, see https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager for details.