The plan here is to take it out of 1.27.0-wmf.12 and put it back in
1.27.0-wmf.13.
Since BotPasswords depends on SessionManager, that's getting temporarily
removed too.
This reverts the following commits:
* 6acd424e0d SessionManager: Notify AuthPlugin before calling hooks
* 4d1ad32d8a Close a loophole in CookieSessionProvider
* fcdd643a46 SessionManager: Don't save non-persisted sessions to backend storage
* 058aec4c76 MessageCache: Don't get a ParserOptions for $wgUser before the end of Setup.php
* b5c0c03bb7 SessionManager: Save user name to metadata even if the user doesn't exist locally
* 13f2f09a19 SECURITY: Fix User::setToken() call on User::newSystemUser
* 305bc75b27 SessionManager: Don't generate user tokens when checking the tokens
* 7c4bd85d21 RequestContext::exportSession() should only export persisted session IDs
* 296ccfd4a9 SessionManager: Save 'persisted' flag in session metadata
* 94ba53f677 Move CSRF token handling into MediaWiki\Session\Session
* 46a565d6b0 Avoid false "added in both Session and $_SESSION" when value is null
* c00d0b5d94 Log backtrace for "User::loadFromSession called before the end of Setup.php"
* 4eeff5b559 Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
* 7491b52f70 Call session_cache_limiter() before starting a session
* 2c34aeea72 SessionManager: Abstract forceHTTPS cookie setting
* 9aa53627a5 Ignore auth cookies with value 'deleted'
* 43f904b51a SessionManager: Kill getPersistedSessionId()
* 50c5256352 SessionManager: Add SessionBackend::setProviderMetadata()
* f640d40315 SessionManager: Notify AuthPlugin when auto-creating accounts
* 70b05d1ac1 Add checks of $wgEnableBotPasswords in more places
* bfed32eb78 Do not raise a PHP warning when session write fails
* 722a7331ad Only check LoggedOut timestamp on the user loaded from session
* 4f5057b84b SessionManager: Change behavior of getSessionById()
* 66e82e614e Fix typo in [[MediaWiki:Botpasswords-editexisting/en]]
* f9fd9516d9 Add "bot passwords"
* d7716f1df0 Add missing argument for wfDebugLog
* a73c5b7395 Add SessionManager
Change-Id: I2389a8133e25ab929e9f27f41fa9a05df8147a50
SessionManager is a general-purpose session management framework, rather
than the cookie-based sessions that PHP wants to provide us.
While fallback is provided for using $_SESSION and other PHP session
management functions, they should be avoided in favor of using
SessionManager directly.
For proof-of-concept extensions, see OAuth change Ib40b221 and
CentralAuth change I27ccabdb.
Bug: T111296
Change-Id: Ic1ffea74f3ccc8f93c8a23b795ecab6f06abca72
* This should trigger more reliably than the shutdown function
callback, which is really only there for sanity to make sure
session close/write happens.
Change-Id: I9a1aa76de121ba8de33b3fa850bd223929fae404
I4afaecd8 reduced the frequency at which the TTL of sessions keys is reset, on
the assumption that we were doing it a whole lot more often than necessary.
We can now assume that this assumption was false, because an uncommitted revert
of this change which I pushed to production earlier caused the rate of session
loss errors in the logs to plummet.
Bug: T102199
Change-Id: Ie67f4ca000afcf3d4f44155c13f91cd4c286866d
* The session will be renewed on access if it will expire in 10 minutes
* This avoids a problem both with 532ef78 + PHP <= 5.5 or any PHP >= 5.6
Bug: T102199
Change-Id: I8cad100bc35e86fa95ad144bcad338f3cb5d82a1
Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Also added some missing @param.
Change-Id: I86fd10e3f2d4bb80e7432533038d124693acfb3c
Doxygen expects parameter types to come before the
parameter name in @param tags. Used a quick regex
to switch everything around where possible. This
only fixes cases where a primitve variable (or a
primitive followed by other types) is the variable
type. Other cases will need to be fixed manually.
Change-Id: Ic59fd20856eb0489d70f3469a56ebce0efb3db13
When $wgSessionsInObjectCache is enabled, use a configurable expiry time
instead of a hard-coded one-hour expiry.
Change-Id: Ia51962176d30fd87e298c47ec347a143cad80772
* Introduce $wgSessionCacheType to allow the session storage to be
configured independently of $wgMemc.
* Renamed $wgSessionsInMemcached to $wgSessionsInObjectCache to reflect
the new versatility.
* Modernized the relevant code, removing the explicit require_once(),
used the autoloader instead. Moved it to ObjectCacheSessionHandler.
* Tested with memcached, external sharded MySQL and APC, it all seems to
work just fine.
Change-Id: I473334bb56cafb4e21ac1c1304d69095676fc0c4
