From 514725e7fefe47c0187b9ea94aa3dbf49bd44806 Mon Sep 17 00:00:00 2001 From: Bryan Davis Date: Sun, 31 Jan 2016 21:39:10 -0700 Subject: [PATCH] Disable automatic cache headers associated with starting a session Follow up to 7491b52. The 'private, must-revalidate' argument to session_cache_limiter() does not match any expected values for the function. This results in the PHP runtime treating it like the documented empty string argument which completely disables the automatic addition of cache related headers. Change the implementation to use the empty string argument explicitly rather than continuing to rely on the undocumented and potentially confusing existing behavior. session_cache_limiter( '' ) is called unconditionally in MediaWiki\Session\PHPSessionHandler::install(). This is safe now that it is understood that we are disabling the setting of the automatic headers. Bug: T124510 Change-Id: I63164f8b7a408e370ff01dead42be27a0135dd35 --- includes/GlobalFunctions.php | 1 - includes/Setup.php | 1 - includes/context/RequestContext.php | 1 - includes/session/PHPSessionHandler.php | 6 ++++++ includes/session/SessionBackend.php | 1 - 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 40669459e4..66201b5ee4 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -3082,7 +3082,6 @@ function wfSetupSession( $sessionId = false ) { if ( session_id() !== $session->getId() ) { session_id( $session->getId() ); } - MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' ); MediaWiki\quietCall( 'session_start' ); } diff --git a/includes/Setup.php b/includes/Setup.php index 6c856389d7..ba3d628cf2 100644 --- a/includes/Setup.php +++ b/includes/Setup.php @@ -738,7 +738,6 @@ if ( !defined( 'MW_NO_SESSION' ) && !$wgCommandLineMode ) { ) { // Start the PHP-session for backwards compatibility session_id( $session->getId() ); - MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' ); MediaWiki\quietCall( 'session_start' ); } } diff --git a/includes/context/RequestContext.php b/includes/context/RequestContext.php index 73e11b5b79..8056b4d163 100644 --- a/includes/context/RequestContext.php +++ b/includes/context/RequestContext.php @@ -595,7 +595,6 @@ class RequestContext implements IContextSource, MutableContext { $wgUser = $context->getUser(); // b/c if ( $session && MediaWiki\Session\PHPSessionHandler::isEnabled() ) { session_id( $session->getId() ); - MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' ); MediaWiki\quietCall( 'session_start' ); } $request = new FauxRequest( array(), false, $session ); diff --git a/includes/session/PHPSessionHandler.php b/includes/session/PHPSessionHandler.php index d21bea988c..4dea274337 100644 --- a/includes/session/PHPSessionHandler.php +++ b/includes/session/PHPSessionHandler.php @@ -123,6 +123,12 @@ class PHPSessionHandler { ini_set( 'session.use_cookies', 0 ); ini_set( 'session.use_trans_sid', 0 ); + // T124510: Disable automatic PHP session related cache headers. + // MediaWiki adds it's own headers and the default PHP behavior may + // set headers such as 'Pragma: no-cache' that cause problems with + // some user agents. + session_cache_limiter( '' ); + // Also set a sane serialization handler \Wikimedia\PhpSessionSerializer::setSerializeHandler(); diff --git a/includes/session/SessionBackend.php b/includes/session/SessionBackend.php index 2a13ed20ef..d177fc5cce 100644 --- a/includes/session/SessionBackend.php +++ b/includes/session/SessionBackend.php @@ -668,7 +668,6 @@ final class SessionBackend { ) { $this->logger->debug( "SessionBackend $this->id: Taking over PHP session" ); session_id( (string)$this->id ); - \MediaWiki\quietCall( 'session_cache_limiter', 'private, must-revalidate' ); \MediaWiki\quietCall( 'session_start' ); } } -- 2.20.1