Page MenuHomePhabricator
Create Task
Maniphest T50371

RequestContext::importScopedSession doesn't work with suhosin.session.encrypt = on
Open, MediumPublic
Actions

Description

ImportSession doesnt seem to actually import the session data if using native php session support. Furthermore, in that case it seems to delete the existing session, changing the users tokens (which can be annoying)

Given we already have to store request info to make this scheme work, im not sure why we don't just store this info in the db (or even just in memcache if something more ephemeral is wanted.)

Version: 1.22.0
Severity: normal

Details

Reference
bz48371

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:29 AM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz48371.
bzimport added a subscriber: Unknown Object (MLST).
Bawolff created this task.May 12 2013, 7:48 AM
DanielFriesen added a comment.May 12 2013, 8:02 AM

Yeah, RequestContext was built so that code could create new contexts and build the output for certain requests (like special pages inside parser outputs and maintenance scripts dumping offline versions by creating contexts for pages and grabbing the output). It was NOT built to allow cli scripts to access sessions attached to requests made from the browser.

If this chunked upload job stuff wants to work with data attached to some session. Instead of using RequestContext it should create some class were some new session id is setup, a container is registered inside of either a cache or the database. And the browser session gets an id telling what one of those cache/db containers is being used. Then the job works with the data that is put into that container for it's use.

After that I think we should delete RequestContext::exportSession and RequestContext::importScopedSession.

Bawolff added a comment.May 12 2013, 8:10 AM

As an additional comment, im not overly a fan of storing ip addresses in the db for purposes such as this if it can be avoided.

Bawolff added a comment.May 12 2013, 2:35 PM

Hmm, now its not working even though I'm using $wgSessionsInObjectCache = true;

gerritbot added a comment.Jul 8 2013, 1:54 AM

Change 72473 had a related patch set uploaded by Brian Wolff:
Have Chunked upload jobs bail if cannot associate with session.

https://gerrit.wikimedia.org/r/72473

Bawolff added a comment.Jul 8 2013, 1:56 AM

Turns out this was (at least for me) due to suhosin.session.encrypt being turned on, which encrypts the session based on the IP of the user.

gerritbot added a comment.Jul 16 2013, 11:55 PM

Change 72473 merged by jenkins-bot:
Have Chunked upload jobs bail if cannot associate with session.

https://gerrit.wikimedia.org/r/72473

Aklapper removed a subscriber: wikibugs-l-list.Apr 12 2020, 9:55 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits