MediaWiki extensions manual
OOjs UI icon advanced-invert.svg
Release status: unmaintained
Implementation User identity , User activity , Special page
Description More secure session authorization and allows users to view open sessions.
Author(s) Tyler Romeo (Parent5446talk)
Latest version 0.6.0 (2020-03-14)
MediaWiki 1.35+
PHP 7.0+
Database changes No
Composer mediawiki/securesessionsw
License GNU General Public License 3.0 or later
  • $wgEnhancedSessionAuth
  • $wgSessionCycleId
Translate the SecureSessions extension if it is available at translatewiki.net

Check usage and version matrix.

Issues Open tasks · Report a bug

The SecureSessions extension implements more secure session authentication for logged in users by using stricter cookie-session comparisons and by optionally locking sessions to an IP address and/or User Agent. It also allows users to view all sessions logged in under their account, and log them out if wanted.


  • Pending resolution of T110465, this extension does not work with MediaWiki 1.27+.
  • Download the version corresponding to MediaWiki through Extension Distributor or Git (branch REL1_XX).
  • Make sure some sort of object caching is turned on.
  • Download and place the file(s) in a directory called SecureSessions in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php :
    wfLoadExtension( 'SecureSessions' );
  • Optionally install Extension:CLDR to enable authentication only from a specific country set in user preferences.
  • Optionally install Extension:TorBlock to disable authentication from a Tor exit node (user preference).
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

To users running MediaWiki 1.24 or earlier:

The instructions above describe the new way of installing this extension using wfLoadExtension(). If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of wfLoadExtension( 'SecureSessions' );, you need to use:

require_once "$IP/extensions/SecureSessions/SecureSessions.php";


Configures what restrictions to use on session authentication. For each item in the array, the key can be 'ip' (IP-based session restriction), 'useragent' (User Agent-based session restriction), or 'singlesession' (when a user logs in, all other sessions are logged out. For each key, it can be set to true (force the restriction), null (let the user decide on login), or false (disable the restriction). Additionally, this can be set to a boolean true or false. False is the equivalent of setting all keys to false. True is the equivalent of setting 'ip' and 'useragent' to true and setting 'singlesession' to null.
Whether or not to cycle the session ID on every request. The default is false. When turned on, this may cause small performance issues if not using memcached sessions (which you should be using anyway if you are that worried about performance).


Once installed, most of the extension occurs behind the scenes. The only UI changes users will notice is that for every null value in $wgEnhancedSessionAuth, a new checkbox will be added to the login form asking the user's preference on that restriction. In addition, there is a new link in the top right corner of the page that links to Special:Sessions, where a list of open sessions and a button to close all other sessions is displayed.

Known issuesEdit

  • When $wgSessionCycleId is set to true, users are sometimes accidentally logged out when typing things in the search bar.

See alsoEdit