From dcf75c4f9de8fdc5d944ac48dfd08596adb227be Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 3 Oct 2018 15:07:24 -0400
Subject: [PATCH 1/1] Enforce no-session constraint in opensearch_desc.php and
 profileinfo.php

Attempts to use session data via these endpoints will now cause
exceptions to be thrown.

Bug: T127233
Change-Id: I28b080a84e7b928e4336a5a1ec770bb57b05d009
---
 opensearch_desc.php | 5 ++---
 profileinfo.php     | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/opensearch_desc.php b/opensearch_desc.php
index b9b21611d0..bd3281aa9c 100644
--- a/opensearch_desc.php
+++ b/opensearch_desc.php
@@ -21,9 +21,8 @@
  */
 
 // This endpoint is supposed to be independent of request cookies and other
-// details of the session. Log warnings for violations of the no-session
-// constraint.
-define( 'MW_NO_SESSION', 'warn' );
+// details of the session. Enforce this constraint with respect to session use.
+define( 'MW_NO_SESSION', 1 );
 
 require_once __DIR__ . '/includes/WebStart.php';
 
diff --git a/profileinfo.php b/profileinfo.php
index 0a60b08a27..c65f952ac2 100644
--- a/profileinfo.php
+++ b/profileinfo.php
@@ -37,9 +37,8 @@
  */
 
 // This endpoint is supposed to be independent of request cookies and other
-// details of the session. Log warnings for violations of the no-session
-// constraint.
-define( 'MW_NO_SESSION', 'warn' );
+// details of the session. Enforce this constraint with respect to session use.
+define( 'MW_NO_SESSION', 1 );
 
 ini_set( 'zlib.output_compression', 'off' );
 
-- 
2.20.1