The `session` channel has a bunch of `MediaWiki\Session\PHPSessionHandler::write: Key "XXX" added in both Session and $_SESSION!` messages (at a glance, CentralAuth is the main culprit). We should probably fix these to have cleaner logs.
----
At first glance, it looks like all of these log entries are probably false positives fixed by {46a565d6}. But this should still be cleaned up at some point, as well as usage of `session_*()` functions and `wfSetupSession()`.
* [x] #AbuseFilter
* [x] #MediaWiki-extensions-CentralAuth - Only uses are in non-SessionManager back-compat code paths
* [x] #CentralNotice - One `wfSetupSession()`, fixed in 1fd731a38
* [x] #MediaWiki-extensions-Collection
* [x] #confirmedit_captcha_extension
* [x] #MediaWiki-extensions-ContactPage - One `wfSetupSession()`.
* [ ] #DonationInterface
* [ ] #MediaWiki-extensions-LdapAuthentication
* [ ] #LiquidThreads - Only inside a hack for {T29887}, which should probably be changed to use DerivativeRequest instead of FauxRequest.
* [x] #OAuth - Only uses are in non-SessionManager back-compat code paths
* [ ] #OpenStackManager
* [x] #MediaWiki-extensions-SecurePoll
* [ ] #MediaWiki-extensions-SemanticForms - Looks like another good case for DerivativeRequest.
As for actually fixing things,
* Anywhere you have a WebRequest, you have a Session via `$webRequest->getSession()`. So it should be easy to get one. If you really don't have a WebRequest, `\MediaWiki\Session\SessionManager::getGlobalSession()` is available.
* `$webRequest->getSessionData()` and `$webRequest->setSessionData()` may be used without any back-compat testing to replace direct accesses of `$_SESSION`, although they're inefficient if you're getting/setting many variables and can't be iterated over. The Session object can be iterated over.
* `session_id() !== ''` is replaced with `$session->isPersistent()`.
* `wfSetupSession()` is replaced with `$session->persist()`
** Also, `if ( session_id() === '' ) { wfSetupSession(); }` may be replaced with simply `$session->persist();`.