* WebResponse::setcookie is much more featureful. Callers using PHP's
setcookie() or setrawcookie() should begin using this instead.
* New hook WebResponseSetCookie, called from WebResponse::setcookie().
+* New hook ResetSessionID, called when the session id is reset.
=== Bug fixes in 1.22 ===
* Disable Special:PasswordReset when $wgEnableEmail is false. Previously one
&$skin: A variable reference you may set a Skin instance or string key on to
override the skin that will be used for the context.
+'ResetSessionID': Called from wfResetSessionID
+$oldSessionID: old session id
+$newSessionID: new session id
+
'ResourceLoaderGetConfigVars': Called at the end of
ResourceLoaderStartUpModule::getConfig(). Use this to export static
configuration variables to JavaScript. Things that depend on the current page
}
}
+/**
+ * Reset the session_id
+ * @since 1.22
+ */
+function wfResetSessionID() {
+ global $wgCookieSecure;
+ $oldSessionId = session_id();
+ $cookieParams = session_get_cookie_params();
+ if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) {
+ session_regenerate_id( false );
+ } else {
+ $tmp = $_SESSION;
+ session_destroy();
+ wfSetupSession( MWCryptRand::generateHex( 32 ) );
+ $_SESSION = $tmp;
+ }
+ $newSessionId = session_id();
+ wfRunHooks( 'ResetSessionID', array( $oldSessionId, $newSessionId ) );
+}
+
+
/**
* Initialise php session
*
$wgCookieSecure = false;
}
- // If either we don't trust PHP's entropy, or if we need
- // to change cookie settings when logging in because of
- // wpStickHTTPS, then change the session ID manually.
- $cookieParams = session_get_cookie_params();
- if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) {
- session_regenerate_id( false );
- } else {
- $tmp = $_SESSION;
- session_destroy();
- wfSetupSession( MWCryptRand::generateHex( 32 ) );
- $_SESSION = $tmp;
- }
+ wfResetSessionID();
}
/**