This is a (mostly minor) problem caused by MDL-74465.

To reproduce, save this script in the root of your Moodle site, then load it. (Attached here as test-read-only-session.php.)

<?php

require_once(__DIR__ . '/config.php');

$PAGE->set_url('/test.php');

$PAGE->set_context(context_system::instance());

\core\session\manager::write_close();

echo $OUTPUT->header();

echo $OUTPUT->footer();

Actual result:

Script /ou-moodle2/test.php mutated the session after it was closed: $SESSION->cachestore_session: default_session-core/coursecat

    line 787 of \lib\classes\session\manager.php: call to debugging()

    line 159 of \lib\classes\shutdown_manager.php: call to core\session\manager::check_mutated_closed_session()

    line ? of unknownfile: call to core_shutdown_manager::shutdown_handler()

Expected result: this should be fine.

Discussing in MDL-74465, we (marina & timhunt) thought "It is not a good idea to make a dependency between session management and output, like you said." That is, it should not cause issues to call \core\session\manager::write_close(); before $OUTPUT->header(); So, the question is: how best to prevent this warning?

One possible idea:

1. Change moodle_page::get_edited_page_hash() so that it is safe to call multiple times (by setting $this->_editedpagehash the first time it is called, and then if it is already set, returning immedately.
2. (However, if we do that, we probably need to add developer debug to warn if any of hte $PAGE->... values are chagned after get_edited_page_hash is called.)
3. Then, \core\session\manager::write_close() can call $PAGE->get_edited_page_hash before unlocking the sesions.