From 276d065d1620289242cfad5ee877aa88d5db5a60 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aschulz@wikimedia.org>
Date: Wed, 6 Feb 2019 14:28:02 -0800
Subject: [PATCH] Persist sessions pre-send instead of post-send

This avoids race conditions with certain web request patterns

Bug: T214471
Change-Id: I4dfee10326485e98b028585c7da2e6b30787bb91
---
 includes/MediaWiki.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php
index f5a954dc8d..43512e1223 100644
--- a/includes/MediaWiki.php
+++ b/includes/MediaWiki.php
@@ -569,8 +569,11 @@ class MediaWiki {
 	}
 
 	/**
-	 * This function commits all DB changes as needed before
-	 * the user can receive a response (in case commit fails)
+	 * This function commits all DB and session changes as needed *before* the
+	 * client can receive a response (in case DB commit fails) and thus also before
+	 * the response can trigger a subsequent related request by the client
+	 *
+	 * If there is a significant amount of content to flush, it can be done in $postCommitWork
 	 *
 	 * @param IContextSource $context
 	 * @param callable|null $postCommitWork [default: null]
@@ -598,6 +601,8 @@ class MediaWiki {
 		// Run updates that need to block the user or affect output (this is the last chance)
 		DeferredUpdates::doUpdates( 'enqueue', DeferredUpdates::PRESEND );
 		wfDebug( __METHOD__ . ': pre-send deferred updates completed' );
+		// T214471: persist the session to avoid race conditions on subsequent requests
+		$request->getSession()->save();
 
 		// Should the client return, their request should observe the new ChronologyProtector
 		// DB positions. This request might be on a foreign wiki domain, so synchronously update
-- 
2.20.1