I have been making the assumption that in MediaWiki, the $_SESSION is
hidden from the
user. While applications may use the session to obtain data that's later
shown to the user,
there should be no way for the user to obtain the entire $_SESSION
contents.
So, for instance, I can hide a temporary secret there.
Is that a good assumption?
--
Neil Kandalgaonkar ( ) <neilk(a)wikimedia.org>