It has long been the case that the load.php entry point, to support more
aggressive caching, should not depend on details of the current session.
For example, it should not access the session user, and should use its own
'lang' parameter for i18n messages rather than the session user's language.
After a fair bit of work[1] by Gergő Tisza, Timo Tijhof, Bryan Davis, and
myself, we have now flipped the switch to make attempted session access
fail with an exception when serving load.php. This will go out to Wikimedia
wikis with 1.28.0-wmf.1 next week.[2]
We've had this in logging mode for a while and haven't seen any log
messages in production recently, so we anticipate that this change won't
cause any issues for Wikimedia wikis. Third-party wikis may have to update
their extensions.
If there are problems, they'll manifest as missing CSS or JavaScript in the
page, and when examining the load.php output there will be a comment at the
top reporting that a BadMethodCallException was caught. The logged
exception's message will be "Sessions are disabled for this entry point".
[1]: See
https://phabricator.wikimedia.org/T127233 and its subtasks.
[2]: See
https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the
schedule.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation