Extension:Third party session verification

MediaWiki extensions manual
Third party session verification
Release status: stable
Implementation API
Author(s) Egill (Ataaseqtalk)
Latest version 1.0 (2020-06-28)
Database changes No
License GNU General Public License 2.0 or later

The third party session verification extension allows other backend services to verify that a user is logged in.

Installation edit

  • Download and place the file(s) in a directory called ThirdPartySessionVerification in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php file:
    wfLoadExtension( 'ThirdPartySessionVerification' );
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Use edit

Getting a token edit

Your user receives a token by making a request to /w/api.php?action=session_verification.

Or, using the MediaWiki JavaScript API:

var api = new mw.Api();
  action: 'session_verification',
  format: 'json'
}).done(function (data) {

The response is on the form:

    "session_verification": {
        "token": "93b2b4a53724f0-91ef87-1593373844-1"

Tokens are only given to logged in users. The token encodes the user ID and the timestamp.

Verifying the token edit

Any service can now use the token to verify that a user is logged in. This extension does not prevent the same token from being verified multiple times, but you could keep track of used ones in your backend.

There is no time limit for tokens, but the parameter token_age_in_seconds is returned, so your service can opt to refuse old tokens.

To verify a token, send it to /w/api.php?action=session_verification&token=93b2b4a53724f0-91ef87-1593373844-392. The response is on the form:

    "session_verification": {
        "success": 1,
        "userID": "392",
        "token_age_in_seconds": 45

You can now be certain that the user with the ID 392 was logged in when they said they were. You can now use API:Users to find information about the user with this user ID, such as their username and user rights.