Long ago, the only mechanism for session management in MediaWiki was
certain cookies set by the User class. When ApiLogin was written, in
addition to setting these cookies as usual it also returned some of the
values needed to construct these cookies on the client. Presumably this was
to make things easier for clients that somehow couldn't handle the standard
cookie headers.
Then CentralAuth came along. Now, constructing the cookies manually would
log you in to the local wiki only, without taking advantage of the SUL
mechanism.
Then T55032[1] happened, and clients that were using the
manual-construction mechanism had to update their code because one of the
cookie names changed and that wasn't part of the data being returned.
And soon, we'll have SessionManager and AuthManager, which will make it
possible for login to easily happen in ways that don't involve cookies at
all.
So it's time to eliminate the pretense that clients can manually construct
the cookies instead of handing the standard HTTP cookie headers. Tentative
plan is to deprecate them now and then remove them sometime during 1.28; if
anyone objects to this schedule, please raise your concerns in
https://phabricator.wikimedia.org/T121527.
[1]:
https://phabricator.wikimedia.org/T55032
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation