/**
* Whether to use PHP session handling ($_SESSION and session_*() functions)
+ *
+ * If the constant MW_NO_SESSION is defined, this is forced to 'disable'.
+ *
+ * If the constant MW_NO_SESSION_HANDLER is defined, this is ignored and PHP
+ * session handling will function independently of SessionHandler.
+ * SessionHandler and PHP's session handling may attempt to override each
+ * others' cookies.
+ *
* @since 1.27
* @var string
* - 'enable': Integrate with PHP's session handling as much as possible.
function wfSetupSession( $sessionId = false ) {
wfDeprecated( __FUNCTION__, '1.27' );
- // If they're calling this, they probably want our session management even
- // if NO_SESSION was set for Setup.php.
- if ( !MediaWiki\Session\PHPSessionHandler::isInstalled() ) {
- MediaWiki\Session\PHPSessionHandler::install( SessionManager::singleton() );
- }
-
if ( $sessionId ) {
session_id( $sessionId );
}
) {
$wgPHPSessionHandling = 'warn';
}
+if ( defined( 'MW_NO_SESSION' ) ) {
+ // If the entry point wants no session, force 'disable' here unless they
+ // specifically set it to the (undocumented) 'warn'.
+ $wgPHPSessionHandling = MW_NO_SESSION === 'warn' ? 'warn' : 'disable';
+}
Profiler::instance()->scopedProfileOut( $ps_default );
session_name( $wgSessionName ? $wgSessionName : $wgCookiePrefix . '_session' );
}
- // Create the SessionManager singleton and set up our session handler
- MediaWiki\Session\PHPSessionHandler::install(
- MediaWiki\Session\SessionManager::singleton()
- );
+ // Create the SessionManager singleton and set up our session handler,
+ // unless we're specifically asked not to.
+ if ( !defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ MediaWiki\Session\PHPSessionHandler::install(
+ MediaWiki\Session\SessionManager::singleton()
+ );
+ }
// Initialize the session
try {
session_id( $session->getId() );
MediaWiki\quietCall( 'session_start' );
}
+
+ unset( $session );
+} else {
+ // Even if we didn't set up a global Session, still install our session
+ // handler unless specifically requested not to.
+ if ( !defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ MediaWiki\Session\PHPSessionHandler::install(
+ MediaWiki\Session\SessionManager::singleton()
+ );
+ }
}
Profiler::instance()->scopedProfileOut( $ps_session );
* Override the necessary bits of the config to run an installation.
*/
public static function overrideConfig() {
- define( 'MW_NO_SESSION', 1 );
+ // Use PHP's built-in session handling, since MediaWiki's
+ // SessionHandler can't work before we have an object cache set up.
+ define( 'MW_NO_SESSION_HANDLER', 1 );
// Don't access the database
$GLOBALS['wgUseDatabaseMessages'] = false;
// Some of the environment checks make shell requests, remove limits
$GLOBALS['wgMaxShellMemory'] = 0;
+ // Override the default CookieSessionProvider with a dummy
+ // implementation that won't stomp on PHP's cookies.
$GLOBALS['wgSessionProviders'] = [
[
'class' => 'InstallerSessionProvider',
] ]
]
];
+
+ // Don't try to use any object cache for SessionManager either.
+ $GLOBALS['wgSessionCacheType'] = CACHE_NONE;
}
/**
return;
}
+ if ( defined( 'MW_NO_SESSION_HANDLER' ) ) {
+ throw new \BadMethodCallException( 'MW_NO_SESSION_HANDLER is defined' );
+ }
+
self::$instance = new self( $manager );
// Close any auto-started session, before we replace it
* @return Session
*/
public function getSessionFromInfo( SessionInfo $info, WebRequest $request ) {
+ if ( defined( 'MW_NO_SESSION' ) ) {
+ if ( MW_NO_SESSION === 'warn' ) {
+ // Undocumented safety case for converting existing entry points
+ $this->logger->error( 'Sessions are supposed to be disabled for this entry point' );
+ } else {
+ throw new \BadMethodCallException( 'Sessions are disabled for this entry point' );
+ }
+ }
+
$id = $info->getId();
if ( !isset( $this->allSessionBackends[$id] ) ) {
$this->mOptionOverrides = null;
$this->mOptionsLoaded = false;
- $loggedOut = $this->mRequest ? $this->mRequest->getSession()->getLoggedOutTimestamp() : 0;
+ $loggedOut = $this->mRequest && !defined( 'MW_NO_SESSION' )
+ ? $this->mRequest->getSession()->getLoggedOutTimestamp() : 0;
if ( $loggedOut !== 0 ) {
$this->mTouched = wfTimestamp( TS_MW, $loggedOut );
} else {
if ( is_null( $this->mRights ) ) {
$this->mRights = self::getGroupPermissions( $this->getEffectiveGroups() );
- $allowedRights = $this->getRequest()->getSession()->getAllowedUserRights();
- if ( $allowedRights !== null ) {
- $this->mRights = array_intersect( $this->mRights, $allowedRights );
+ // Deny any rights denied by the user's session, unless this
+ // endpoint has no sessions.
+ if ( !defined( 'MW_NO_SESSION' ) ) {
+ $allowedRights = $this->getRequest()->getSession()->getAllowedUserRights();
+ if ( $allowedRights !== null ) {
+ $this->mRights = array_intersect( $this->mRights, $allowedRights );
+ }
}
Hooks::run( 'UserGetRights', [ $this, &$this->mRights ] );
}
}
- // Remove any rights that aren't allowed to the global-session user
- $allowedRights = SessionManager::getGlobalSession()->getAllowedUserRights();
- if ( $allowedRights !== null && !in_array( $right, $allowedRights, true ) ) {
- $cache[$right] = false;
- return false;
+ // Remove any rights that aren't allowed to the global-session user,
+ // unless there are no sessions for this endpoint.
+ if ( !defined( 'MW_NO_SESSION' ) ) {
+ $allowedRights = SessionManager::getGlobalSession()->getAllowedUserRights();
+ if ( $allowedRights !== null && !in_array( $right, $allowedRights, true ) ) {
+ $cache[$right] = false;
+ return false;
+ }
}
// Allow extensions to say false