Manual:$wgAuthenticationTokenVersion

Authentication: $wgAuthenticationTokenVersion
When changed, all existing sessions are invalidated.
Introduced in version:1.27.0 (Gerrit change 267734; git #fbec46e3)
Removed in version:still in use
Allowed values:(string)
Default value:null

Details edit

$wgAuthenticationTokenVersion is used to salt the token stored in the database (user.user_token by default; some authentication extensions such as CentralAuth use a different field) before it's sent as a cookie (which is done when someone logs in with the "remember me" option enabled). This means that changing the value will immediately detach all sessions and log all users out. This is intended for emergencies such as a mass account compromise.

If $wgAuthenticationTokenVersion is set to null, the raw token value from the database is set in the cookie.

Note that using this setting to log users out has two limitations:

  • if an attacker has obtained the raw token value from the database, and knows the value of $wgAuthenticationTokenVersion, they can always calculate the cookie value.
  • if $wgAuthenticationTokenVersion is changed from null to a different value, old cookies will contain the raw database value; thus, while users will be logged out, sophisticated ones can recover their old session.

See also edit