From 632c3b6a171bb39e167fe4b43f86f42e0933abc2 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Sat, 12 Jan 2019 14:16:52 -0500
Subject: [PATCH] Avoid session double-start in Setup.php

In PHP before 7.3, the double start doesn't really matter: session_id()
changes the ID even if it was already started, and the warning from
session_start() can just be ignored. Which is what we did.

In PHP 7.3, now session_id() also warns and no longer changes the ID. To
preserve the previous behavior, we'll need to explicitly close the old
session and open the new one.

Bug: T213489
Change-Id: I02a5be1c3adb326927c156fdd00663bccee37477
---
 RELEASE-NOTES-1.31 |  1 +
 includes/Setup.php | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31
index fa89df3b01..e27cda2ea2 100644
--- a/RELEASE-NOTES-1.31
+++ b/RELEASE-NOTES-1.31
@@ -23,6 +23,7 @@ THIS IS NOT A RELEASE YET
   * (T207112) Add session_write_close() calls to SessionManager tests
   * oyejorge/less.php replaced with our fork wikimedia/less.php
   * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0.
+  * (T213489) Avoid session double-start in Setup.php.
 * (T207540) Include IP address in "Login for $1 succeeded" log entry.
 * (T201781) Database: Allow selectFieldValues() to accept SQL fragments
 * (T205765) installer: Don't link to the obsolete "Extension Matrix" page
diff --git a/includes/Setup.php b/includes/Setup.php
index f4025945eb..7b7cafcddb 100644
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -869,11 +869,19 @@ if ( !defined( 'MW_NO_SESSION' ) && !$wgCommandLineMode ) {
 
 	$session->renew();
 	if ( MediaWiki\Session\PHPSessionHandler::isEnabled() &&
-		( $session->isPersistent() || $session->shouldRememberUser() )
+		( $session->isPersistent() || $session->shouldRememberUser() ) &&
+		session_id() !== $session->getId()
 	) {
 		// Start the PHP-session for backwards compatibility
+		if ( session_id() !== '' ) {
+			wfDebugLog( 'session', 'PHP session {old_id} was already started, changing to {new_id}', 'all', [
+				'old_id' => session_id(),
+				'new_id' => $session->getId(),
+			] );
+			session_write_close();
+		}
 		session_id( $session->getId() );
-		Wikimedia\quietCall( 'session_start' );
+		session_start();
 	}
 
 	unset( $session );
-- 
2.20.1