From 7491b52f700e220814a8190781fd794b4dd88a20 Mon Sep 17 00:00:00 2001
From: Bryan Davis <bd808@wikimedia.org>
Date: Mon, 25 Jan 2016 10:04:29 -0700
Subject: [PATCH] Call session_cache_limiter() before starting a session

Call `session_cache_limiter( 'private, must-revalidate' );` before
starting a session to specify the cache control headers that PHP will
automatically emit. The calls are wrapped in MediaWiki\quietCall to
suppress "headers have already been sent" warnings that may come from PHP.

If not called explicitly PHP will default to using
the value of the session.cache_limiter ini setting. Some values of that
setting will cause PHP to add a "Pragma: no-cache" header to the
response. Certain user agents (e.g. Firefox) treat that particular
header as a signal to aggressively flush the response from local cache
to the point that back button navigation will not work.

The value used was present in `wfSetupSession` prior to a73c5b7.

Bug: T124510
Change-Id: I942f8420c39c8cec5781ea8f6cc5619fd15f13cd
---
 includes/GlobalFunctions.php        | 2 +-
 includes/Setup.php                  | 1 +
 includes/context/RequestContext.php | 1 +
 includes/session/SessionBackend.php | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 928066b005..4d0ebf60e3 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -3082,7 +3082,7 @@ function wfSetupSession( $sessionId = false ) {
 	if ( session_id() !== $session->getId() ) {
 		session_id( $session->getId() );
 	}
-
+	MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' );
 	MediaWiki\quietCall( 'session_start' );
 }
 
diff --git a/includes/Setup.php b/includes/Setup.php
index 85ff3f32f6..9bf05e087f 100644
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -738,6 +738,7 @@ if ( !defined( 'MW_NO_SESSION' ) && !$wgCommandLineMode ) {
 	) {
 		// Start the PHP-session for backwards compatibility
 		session_id( $session->getId() );
+		MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' );
 		MediaWiki\quietCall( 'session_start' );
 	}
 }
diff --git a/includes/context/RequestContext.php b/includes/context/RequestContext.php
index afb5704074..3b868a1a36 100644
--- a/includes/context/RequestContext.php
+++ b/includes/context/RequestContext.php
@@ -594,6 +594,7 @@ class RequestContext implements IContextSource, MutableContext {
 			$wgUser = $context->getUser(); // b/c
 			if ( $session && MediaWiki\Session\PHPSessionHandler::isEnabled() ) {
 				session_id( $session->getId() );
+				MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' );
 				MediaWiki\quietCall( 'session_start' );
 			}
 			$request = new FauxRequest( array(), false, $session );
diff --git a/includes/session/SessionBackend.php b/includes/session/SessionBackend.php
index 3c0f692661..95c6f0c7f6 100644
--- a/includes/session/SessionBackend.php
+++ b/includes/session/SessionBackend.php
@@ -643,6 +643,7 @@ final class SessionBackend {
 			) {
 				$this->logger->debug( "SessionBackend $this->id: Taking over PHP session" );
 				session_id( (string)$this->id );
+				\MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' );
 				\MediaWiki\quietCall( 'session_start' );
 			}
 		}
-- 
2.20.1