Руководство:$wgAuthenticationTokenVersion
| Аутентификация: $wgAuthenticationTokenVersion | |
|---|---|
| When changed, all existing sessions are invalidated. |
|
| Введено в версии: | 1.27.0 (Gerrit change 267734; git #fbec46e3) |
| Удалено в версии: | всё ещё используется |
| Допустимые значения: | (string) |
| Значение по умолчанию: | null |
| Другие настройки: По алфавиту | По функциональности | |
Details
$wgAuthenticationTokenVersion is used to salt the token stored in the database (user.user_token by default; some authentication extensions such as CentralAuth use a different field) before it's sent as a cookie (which is done when someone logs in with the "remember me" option enabled).
This means that changing the value will immediately detach all sessions and log all users out.
This is intended for emergencies such as a mass account compromise.
If $wgAuthenticationTokenVersion is set to null, the raw token value from the database is set in the cookie.
Note that using this setting to log users out has two limitations:
- if an attacker has obtained the raw token value from the database, and knows the value of
$wgAuthenticationTokenVersion, they can always calculate the cookie value.
- if
$wgAuthenticationTokenVersionis changed from null to a different value, old cookies will contain the raw database value; thus, while users will be logged out, sophisticated ones can recover their old session.
См. также
- resetUserTokens.php
- resetGlobalUserTokens.php - in CentralAuth