Extension:Third party session verification

• Download and place the file(s) in a directory called ThirdPartySessionVerification in your extensions/ folder.
• Add the following code at the bottom of your LocalSettings.php file:

  wfLoadExtension( 'ThirdPartySessionVerification' );
  

•   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Your user receives a token by making a request to /w/api.php?action=session_verification.

Or, using the MediaWiki JavaScript API:

var api = new mw.Api();
api.get({
  action: 'session_verification',
  format: 'json'
}).done(function (data) {
  console.log(data.session_verification.token);
});

The response is on the form:

{
    "session_verification": {
        "token": "93b2b4a53724f0-91ef87-1593373844-1"
    }
}

Tokens are only given to logged in users. The token encodes the user ID and the timestamp.

Any service can now use the token to verify that a user is logged in. This extension does not prevent the same token from being verified multiple times, but you could keep track of used ones in your backend.

There is no time limit for tokens, but the parameter token_age_in_seconds is returned, so your service can opt to refuse old tokens.

To verify a token, send it to /w/api.php?action=session_verification&token=93b2b4a53724f0-91ef87-1593373844-392. The response is on the form:

{
    "session_verification": {
        "success": 1,
        "userID": "392",
        "token_age_in_seconds": 45
    }
}

You can now be certain that the user with the ID 392 was logged in when they said they were. You can now use API:Users to find information about the user with this user ID, such as their username and user rights.