Merge "mediawiki.api.parse: Use formatversion=2 for API requests"

[lhc/web/wiklou.git] / includes / session / CookieSessionProvider.php

diff --git a/includes/session/CookieSessionProvider.php b/includes/session/CookieSessionProvider.php
index 915127f..f989cbc 100644 (file)
--- a/includes/session/CookieSessionProvider.php
+++ b/includes/session/CookieSessionProvider.php
@@ -104,11 +104,14 @@ class CookieSessionProvider extends SessionProvider {
 
        public function provideSessionInfo( WebRequest $request ) {
                $info = array(
-                       'id' => $this->getCookie( $request, $this->params['sessionName'], '' )
+                       'id' => $this->getCookie( $request, $this->params['sessionName'], '' ),
+                       'provider' => $this,
+                       'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
                );
                if ( !SessionManager::validateSessionId( $info['id'] ) ) {
                        unset( $info['id'] );
                }
+               $info['persisted'] = isset( $info['id'] );
 
                list( $userId, $userName, $token ) = $this->getUserInfoFromCookies( $request );
                if ( $userId !== null ) {
@@ -128,21 +131,22 @@ class CookieSessionProvider extends SessionProvider {
                                        return null;
                                }
                                $info['userInfo'] = $userInfo->verified();
-                       } elseif ( isset( $info['id'] ) ) { // No point if no session ID
+                       } elseif ( isset( $info['id'] ) ) {
                                $info['userInfo'] = $userInfo;
+                       } else {
+                               // No point in returning, loadSessionInfoFromStore() will
+                               // reject it anyway.
+                               return null;
                        }
-               }
-
-               if ( !$info ) {
+               } elseif ( isset( $info['id'] ) ) {
+                       // No UserID cookie, so insist that the session is anonymous.
+                       $info['userInfo'] = UserInfo::newAnonymous();
+               } else {
+                       // No session ID and no user is the same as an empty session, so
+                       // there's no point.
                        return null;
                }
 
-               $info += array(
-                       'provider' => $this,
-                       'persisted' => isset( $info['id'] ),
-                       'forceHTTPS' => $this->getCookie( $request, 'forceHTTPS', '', false )
-               );
-
                return new SessionInfo( $this->priority, $info );
        }
 
@@ -176,7 +180,10 @@ class CookieSessionProvider extends SessionProvider {
 
                $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
                if ( $forceHTTPS ) {
-                       $options['secure'] = true;
+                       // Don't set the secure flag if the request came in
+                       // over "http", for backwards compat.
+                       // @todo Break that backwards compat properly.
+                       $options['secure'] = $this->config->get( 'CookieSecure' );
                }
 
                $response->setCookie( $this->params['sessionName'], $session->getId(), null,