Podręcznik:$wgAuthenticationTokenVersion
Identyfikacja: $wgAuthenticationTokenVersion | |
---|---|
When changed, all existing sessions are invalidated. |
|
Wprowadzono w wersji: | 1.27.0 (Gerrit change 267734; git #fbec46e3) |
Usunięto w wersji: | nadal w użyciu |
Dozwolone wartości: | (string) |
Domyślna wartość: | null |
Inne ustawienia: Alfabetycznie | Według funkcji |
Szczegóły
$wgAuthenticationTokenVersion
is used to salt the token stored in the database (user.user_token
by default; some authentication extensions such as CentralAuth use a different field) before it's sent as a cookie (which is done when someone logs in with the "remember me" option enabled).
This means that changing the value will immediately detach all sessions and log all users out.
This is intended for emergencies such as a mass account compromise.
If $wgAuthenticationTokenVersion
is set to null, the raw token value from the database is set in the cookie.
Note that using this setting to log users out has two limitations:
- if an attacker has obtained the raw token value from the database, and knows the value of
$wgAuthenticationTokenVersion
, they can always calculate the cookie value.
- if
$wgAuthenticationTokenVersion
is changed from null to a different value, old cookies will contain the raw database value; thus, while users will be logged out, sophisticated ones can recover their old session.
Zobacz też
- resetUserTokens.php
- resetGlobalUserTokens.php - w CentralAuth